Cloudflare bug leaks personal information to search engines

US Internet giant Cloudflare revealed yesterday that a bug in its coding had put many users’ sensitive information at risk.

Google Zero engineer Travis Ormandy was the first to notice the mishap, and immediately tweeted a request to talk with someone from Cloudflare’s security department.

Could someone from cloudflare security urgently contact me.

— Tavis Ormandy (@taviso) February 18, 2017

Ormandy had noticed that corrupted web pages were being returned from HTTP requests run through Cloudflare.

When alerted, the company immediately noticed the problem was being caused by three minor features and shut them down before going about fixing the issue.

At its peak, data only leaked from 0.00003% of HTTP requests that went through them, but the company’s service powers more than 10 trillion requests per month. In the five days at the height of the leak, 50 million requests could have been compromised — potentially containing users’ passwords or even messages from dating sites.

“The industry standard time allowed to deploy a fix for a bug like this is usually three months; we were completely finished globally in under 7 hours with an initial mitigation in 47 minutes,” Cloudflare wrote.

What took the company so long to announce the bug was the fact that search engines had cached the leak data in their standard caching processes. With the help of Google, Yahoo, Bing, and others, Cloudflare made sure all leaked data was well and truly purged.

Feature image: Garret Heath via Flickr (CC 2.0, resized)