Cloudflare Bug Leaks Sensitive User Data Via Cloudbleed Security Hole

By Edward Leano, Christian Post Contributor

Cloudflare, a major host and content server for some of the most popular websites in use today, has gone public about a serious bug last Feb. 23. The security breach "was serious because the leaked memory could contain private information and because it had been cached by search engines," according to the internet company.

The error in Cloudflare's code was first reported by Google's Project Zero, a team of security analysts who find vulnerabilities in major internet services. Tarvis Ormandy has first pointed out the issue on Feb. 17. In his proof-of-concept attack, Ormandy was able to get past a Cloudflare server's security and duped the service into giving him, among other things, IP addresses, passwords, private messages, chat text and all sorts of sensitive personal information.

On Feb. 23, Cloudflare developer John Graham-Cunning announced the issue through an esoteric blog post titled "Incident report on memory leak caused by Cloudflare parser bug." Aside from a highly technical walkthrough on the cause of the error and the remedies that the company has applied, the post presents a detailed timeline of the events from discovery to the fix.

Get Our Latest News for FREE

Subscribe to get daily/weekly email with the top stories (plus special offers!) from The Christian Post. Be the first to know.

It seems that Cloudflare was able to patch the bug out by Feb. 18. The company acted early and quickly enough to have fixed the security hole in less than seven hours, according to Wired.

The chief executive officer (CEO) for Cloudflare, Matthew Prince, estimates that the bug affected a tiny portion of their client sites that were using a very specific set of Cloudflare settings. In their estimate, about 3,000 customers have their websites exposed by the leak. Given that it's hard to tell if a user is affected by the bug, security researcher Ryan Lackey suggests changing the password for a potentially compromised website.

A site like doesitusecloudflare.com can let a user know if a particular site could have been affected by the breach. A few users have gathered a list in Github as well. In the list of notable sites, a few services stand out — Crunchyroll, Reddit, OkCupid, Uber and Yelp, among many others.

For users who have personal accounts on these services, a password change is highly recommended.

Was this article helpful?

Help keep The Christian Post free for everyone.

By making a recurring donation or a one-time donation of any amount, you're helping to keep CP's articles free and accessible for everyone.

$25/month$50/quarter$100/yearOne-time

We’re sorry to hear that.

Hope you’ll give us another try and check out some other articles. Return to homepage.

Most Popular

More Articles