Bug causes personal data leak, but no sign of hackers exploiting: Cloudflare

Fri Feb 24, 2017 3:25am EST
 
Email This Article |
Share This Article
  • Facebook
  • LinkedIn
  • Twitter
| Print This Article | Single Page
[-] Text [+]

By Jeremy Wagstaff

SINGAPORE (Reuters) - A bug in its software left hundreds of thousands of webpages hosted by Cloudflare Inc leaking encrypted personal data, but there was no sign yet the leak had been exploited by hackers, the Internet security firm said on Friday.

Cloudflare hosts six million websites, spreading them across the Internet to put them closer to customers while at the same time reducing their exposure to the so-called Distributed Denial of Service attacks that might knock them offline. 

The data leak was attributable to a bug in the firm's software that had been sending chunks of unrelated data to users' browsers when they visited a webpage hosted by Cloudflare, according to Google researchers.

Cloudflare Chief Technology Officer John Graham-Cumming said the problem had been fixed quickly and most of the exposed data removed from the caches of search engines like Alphabet's Google. 

"We've seen absolutely no evidence that this has been exploited," he told Reuters by phone. "It's very unlikely that someone has got this information." 

The leakage may have been active from Sept. 22, but the period most affected was from Feb. 13 until it was discovered on Feb. 18. At its height earlier this month, Graham-Cumming said, about 120,000 webpages were leaking information every day.

Some of this data included "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings" as well as cookies, passwords and software keys, Google security researcher Tavis Ormandy, who discovered the bug, wrote in a forum on Feb. 19. 

Ormandy also wrote on Twitter that data from ridesharing service Uber [UBER.UL] and cloud password company 1Password had been leaking. Uber declined to comment, while AgileBits, the maker of 1Password, denied in a blog post on Thursday that any personal data had been compromised.    Continued...

 
FILE PHOTO: Matthew Prince, chief executive at an internet start-up company called CloudFlare, poses in his office in San Francisco December 10, 2012.   REUTERS/Gerry Shih/File Photo