CloudFlare – CloudBleed Security Vulnerability Found

A CloudFlare security vulnerability has been found recently. This is a memory bug which could allow sensitive information to get leaked. CloudFlare has since patched this security risk.

However, while this bug was in the wild, valuable data may have been compromised. Tavis Ormandy part of Google’s Project Zero first noticed this security problem. He noticed corrupt data from some CloudFlare hyper text transfer protocol servers.

CloudFlare’s edge servers were returning back private and sensitive data. Also, this data was being cached by some search engines. This data was only exclusive to non security HTTP requests.

In other words data protected with secure sockets layer was not vulnerable. CloudFlare claims they were able to patch this bug in less than seven hours. Initially, they shutdown email obfuscation, server side excludes and automatic secure hyper text transfer protocol rewrites. CloudFlare worked with Google and other search engines to help removal of possible cached sensitive information.

Unfortunately, sensitive data such as passwords may have been leaked while this exploit was live. CloudFlare is a content delivery network.