While working on something completely unrelated , Google security researcher , Tavis Ormandy , recently discovered Vulnerability-related.DiscoverVulnerability that Cloudflare was leaking Attack.Databreach a wide range of sensitive information , which could have included everything from cookies and tokens , to credentials . Cloudflare moved quickly to fix Vulnerability-related.PatchVulnerability things , but their postmortem downplays the risk to customers , Ormandy said . The problem on Cloudflare 's side , which impacted Vulnerability-related.DiscoverVulnerability big brands like Uber , Fitbit , 1Password , and OKCupid , was a memory leak . The flaw resulted in the exposure of `` HTTP cookies , authentication tokens , HTTP POST bodies , and other sensitive data , '' Cloudflare said . About an hour after being alerted Vulnerability-related.DiscoverVulnerability by Ormandy , Cloudflare disabled three features on its platform ; email obfuscation , Server-side Excludes and Automatic HTTPS Rewrites , as they were using the broken HTML parser chain determined to be the cause of the problem .

Having had more than a week to digest Cloudbleed ’ s causes and impact , Cloudflare CEO Matthew Prince assessed the damage yesterday in a lengthy post-mortem as relatively low . Prince said Vulnerability-related.DiscoverVulnerability there is no evidence the vulnerability , which leaked customer data from memory , was exploited Vulnerability-related.DiscoverVulnerability by attackers . The bug , however , was triggered more than 1.2 million times from 6,500 sites that met the criteria under which it could be exploited Vulnerability-related.DiscoverVulnerability . In the meantime , Cloudflare continues to work with Google and other search engine providers to scrub cached sites that could contain any leaked data from memory . “ We ’ ve successfully removed more than 80,000 unique cached pages . That underestimates the total number because we ’ ve requested search engines purge and recrawl entire sites in some instances , ” Prince said . Prince said leaks Attack.Databreach have included internal Cloudflare headers and customer cookies , but no evidence of passwords , encryption keys , payment card data or health records among the leaks Attack.Databreach . The vulnerability was privately disclosed Vulnerability-related.DiscoverVulnerability Feb 17 by Google Project Zero researcher Tavis Ormandy , who reported that he did see crypto keys , passwords , POST data and HTTPS requests for other Cloudflare-hosted sites among data from other requests . Ormandy initially said in a tweet that Cloudflare was leaking Attack.Databreach customer HTTPS sessions for Uber , FitBit , OKCupid and others , all of which said the impact of Cloudbleed on their data was minimal . “ While the bug was very bad and had the potential to be much worse , ” Prince said . Prince explained that the bug was triggered only when a webpage moving through the Cloudflare network contained HTML ending with an un-terminated attribute , and if a number of Cloudflare features were turned on . Those features hand in hand with a Cloudflare stream parser used to scan and modify content in real time such as rewriting HTTP links to HTTPS—a feature called Automatic HTTPS Rewrites—or hiding email addresses on a page from spammers—a feature called Email Address Obfuscation . The need to end with an un-terminated attribute was key . “ When a page for a particular customer is being parsed it is stored in memory on one of the servers that is a part of our infrastructure . Contents of the other customers ’ requests are also in adjacent portions of memory on Cloudflare ’ s servers , ” Prince said . “ The bug caused the parser , when it encountered un-terminated attribute at the end of a page , to not stop when it reached the end of the portion of memory for the particular page being parsed . Instead , the parser continued to read from adjacent memory , which contained data from other customers ’ requests . The contents of that adjacent memory were then dumped Attack.Databreach onto the page with the flawed HTML ” . Anyone accessing one of those pages would see the memory dump , looking a lot like random text , below , Prince said . An attacker would need to pound one of those sites with numerous requests to trigger the bug and then record the results , getting a mix of useless data and sensitive information , Prince said . “ The nightmare scenario we have been worried about is if a hacker had been aware of the bug and had been quietly mining data before we were notified Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team and were able to patch Vulnerability-related.PatchVulnerability it , ” Prince said . “ For the last 12 days we ’ ve been reviewing our logs to see if there ’ s any evidence to indicate that a hacker was exploiting Vulnerability-related.DiscoverVulnerability the bug before it was patched Vulnerability-related.PatchVulnerability . We ’ ve found nothing so far to indicate that was the case ” . Prince said Cloudflare customers who find any leaked cached data can send a link to the caches to parserbug @ cloudflare [ . ] com . Over 2,000 WordPress sites are infected as part of a keylogger campaign that leverages an old malicious script .