Google reveals a massive web leak, prompts password concerns

Cloudflare, a multibillion-dollar startup that runs a popular content delivery network used by more than 5.5 million sites, encountered a bug that accidentally leaked information for months.

Google reveals a massive web leak, prompts password concerns

Google has uncovered a web leak that may have exposed passwords, private messages and other sensitive data from a vast number of sites, including major services like Uber, FitBit and OKCupid.

Cloudflare, a multibillion-dollar startup that runs a popular content delivery network used by more than 5.5 million sites, encountered a bug that accidentally leaked information for months.

According to a report in

Forbes, the issue is being dubbed CloudBleed, as the problem was caused by a vulnerability in code from a hugely popular web company, CloudFlare, and was not dissimilar to the infamous Heartbleed bug of 2015.

The report added that the issue is similar to Heartbleed in that CloudFlare, which hosts and serves content for a at least 2 million websites, was returning random chunks of memory from vulnerable servers when requests came in.

The web leak is even more severe as search engines were caching that leaked information and another major concern was that CloudFlare typically hosts content from different sites on the same server, so a request to one vulnerable website could reveal information about a separate, unrelated CloudFlare site, the report said.

Pen Test Partners white hat hacker Andrew Tierney explained: "For example, you could have visited a page on uber.com, and a chunk of memory from a previous request/response to okcupid.com would be returned."

"This sensitive data could have been returned to anyone. There was no need to carry out an active attack to obtain the data - my mum may have someone else's passwords stored in her browser cache just by visiting another CloudFlare fronted site," he continued.

Tavis Ormandy, a famous Google bug hunter, described the issue, noting that he informed CloudFlare of the problem on February 17.

"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything," claimed Ormandy.

"In reply, CloudFlare sent him a draft post that  "severely downplays the risk to customers," Ormandy wrote.

Following the Ormandy's revelation, CloudFlare on Thursday officially claimed that a bug in its code caused sensitive data to leak from some of the major websites that use its performance enhancement and security services. Uber, Fitbit, OkCupid and 1Password are among Cloudflare’s millions of clients.

It also admitted that the earliest date memory could have leaked was September 22, 2016. CloudFlare also said one of its own private keys leaked, one for internal machine-to-machine encryption.