CloudFlare notified customers of a critical security problem that led to sensitive customer data getting leaked and cached by search engines.
The problem, an uninitialized memory leak named Cloydbleed, was discovered and made public by Google Project Zero researcher Tavis Ormandy.
Cloudflare CTO John Graham-Cumming explained in a statement that the company’s "edge servers were running past the end of a buffer and returning memory that contained sensitive information".
CloudFlare said Cloudbleed may have first been a problem in September 2016 when they apparently enabled automatic HTTP rewrites. Then it got worse after a couple of features, server-side excludes and email obfuscation, were migrated to new parsers this year. The content delivery network has determined that the period with the greatest impact was February 13-18, when one in every 3.3 million HTTP requests going through CloudFlare may have resulted in memory leakage.
According to Graham-Cumming, customers’ SSL private keys were not leaked. He did however admit that a private key used to encrypt connections between the company’s own machines was compromised.
CloudFlare said there was no evidence of any malicious exploits or information being leaked on Pastebin or other such websites. Google Project Zero said it destroyed the data samples collected during its analysis. But this also comes as some web services have also issued statements to their customers requesting they reset their passwords as it is not yet clear what was leaked.