- A software bug means private messages, password, and account details from some of the world’s biggest sites have been exposed.
- Google security researchers found the bug in Cloudflare’s software.
- Developers and security experts say Cloudflare is underplaying the problem.
A major software bug means that passwords from the world’s biggest sites, including Fitbit, OKCupid, and Uber have been leaking for months.
Security researchers revealed the flaw in internet infrastructure provider Cloudflare’s software on Thursday night.
Cloudflare said on Friday there was no sign yet the leak had been exploited by hackers — but security experts have said there is no way the company could know this.
Cloudflare hosts 6 million websites, spreading them across the internet to put them closer to customers while at the same time reducing their exposure to the so-called Distributed Denial of Service attacks that might knock them offline.
The data leak was attributable to a bug in the firm’s software that had been sending chunks of unrelated data to users’ browsers when they visited a webpage hosted by Cloudflare, according to a British researcher working on Google’s Project Zero security team, Tavis Ormandy.
“I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
He subsequently confirmed on Twitter that he was referred to OKCupid, among other services.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Data leaked between September 2016 and February 2017, according to Cloudflare’s post on the issue.
Cloudflare CTO John Graham-Cumming said the problem had been fixed quickly and most of the exposed data removed from the caches of search engines like Google.
“We’ve seen absolutely no evidence that this has been exploited,” he told Reuters by phone. “It’s very unlikely that someone has got this information.”
One affected developer told Business Insider there is no way Graham-Cunning could know this. Ormandy also said Cloudflare had “severely downplayed” the risk to customers.
The leakage may have been active from September 22, but the period most affected was from February 13 until it was discovered on February 18. At its height earlier this month, Graham-Cumming said, about 120,000 webpages were leaking information every day.
Ormandy also wrote on Twitter that data from ridesharing service Uber and cloud password company 1Password had been leaking.
An Uber spokeswoman told Business Insider: “No Uber passwords were exposed and the handful of session tokens affected have since been changed”.
AgileBits,the maker of 1Password, denied in a blog post on Thursday that any personal data had been compromised.
A Fitbit spokesman told Business Insider:
“As the leader in the connected health and fitness category, Fitbit is committed to protecting the privacy of our users’ data and keeping data safe. We are currently investigating the issue reported with Cloudflare’s service to understand how it impacts our users. We encourage anyone who believes they have an issue to notify our team at email@example.com. Concerned users can change their account password, followed by logging out and in to the mobile application with the new password. We recommend that users avoid reusing passwords associated with their email address or any other accounts, as this practice leaves them more vulnerable to malicious behavior.”
And an OKCupid spokeswoman said:
“Cloudflare alerted us last night of their bug and we’ve been looking into its impact on OkCupid members. Our initial investigation has revealed minimal, if any, exposure. If we determine that any of our users has been impacted we will promptly notify them and take action to protect them.”
Other sites using Cloudflare include Transferwise, Medium, 4chan, and Transport for London, but not all sites have necessarily been affected.
Graham-Cumming said it was difficult to say which of Cloudflare’s 6 million websites had been affected. He said that Google and Cloudflare had been working together to remove any sensitive data from the store of webpages that search engines like Google collect when they index the web.
He said that process was not yet complete, which is why some researchers were still finding data if they knew where to look.
Some security researchers have said the problem is more serious than Cloudflare has described.
Jonathan Sublett of internet security company Shield Maiden said in a blog post that anyone who accessed sites that used Cloudflare “should consider their data public and work towards securing their accounts”.
Graham-Cumming said it was difficult to say which of their customers were affected. “There will be a debate about how serious this is,” he said. “We do not know of anybody who has had a security problem as a result of this.”