User Data From 3,400 Websites Leaked Due To Cloudflare Bug

User data of approximately 3,400 apps, websites, and online services was leaked online due to a bug in Cloudflare, an online content delivery network. The company acknowledged the incident on Thursday but stated that while hundreds of services were affected, there's no evidence that the issue has been exploited by anyone. The data that was exposed was cached by Internet search engines but seeing how everything was encrypted, the chance of anyone being compromised is relatively low. Regardless, Cloudflare was still accused of downplaying the significance of the incident seeing how the issue could potentially cause more problems in the future. Some of the affected services include the likes of Fitbit, OKCupid, and Uber, as well as 1Password. However, the latter service already commented on the incident and stated that none of its users were affected thanks to end-to-end encryption.

Regardless, cyber security experts are still recommending affected users to change their passwords as a preventive measure. Cloudflare's John Graham-Cumming revealed that some sensitive information like authentication tokens and HTTP cookies have been exposed as a result of the bug, but no private SSL keys have been leaked. The problem was apparently caused by an HTML parser chain used by some Cloudflare features like Automatic HTTPS Rewrites and email obfuscation. After those features were turned off, Cloudflare established two teams in London and San Francisco who have managed to resolve the issue on a global level in less than seven hours, Graham-Cumming said.

Regardless, the issue has been present for a while and managed to expose user data from hundreds of websites and online services. Experts estimate that Cloudflare has been leaking data for months before Google's Tavis Ormandy from Project Zero started suspecting what was happening and notified Cloudflare about the issue. Google Search, Microsoft Bing, and other Internet search engines are currently in the process of purging their directories from the accidentally cached data, but seeing how many of them have public caches, it's possible someone already made a copy of all the sensitive information leaked by Cloudflare. However, the risk of being compromised is still relatively low. Those interested in the technical details behind this entire ordeal can learn more by following the source link below.

Copyright ©2019 Android Headlines. All Rights Reserved
This post may contain affiliate links. See our privacy policy for more information.
You May Like These
More Like This:
About the Author

Dominik Bosnjak

Head Editor
Dominik started at AndroidHeadlines in 2016 and is the Head Editor of the site today. He’s approaching his first full decade in the media industry, with his background being primarily in technology, gaming, and entertainment. These days, his focus is more on the political side of the tech game, as well as data privacy issues, with him looking at both of those through the prism of Android. Contact him at [email protected]