Once again, data from users of at least 3,400 web sites which include Fitbit, links and even 1Password, have been exposed, on this occasion, due to a failure of security of Cloudflare, so it is recommended the immediate change of passwords for access.
The data of users of over 3,400 sites have been filtered and cached by search engines as a result of a security error in Cloudflare, a network of distribution of content that is used by thousands of web sites. For months, websites like Uber, Fitbit or site OKCupid dating among thousands, have been affected. 1Password also used Cloudflare, however the company said that thanks to its end-to-end encryption the data of its clients have not been exposed.
A security flaw that exposes data from hundreds of thousands of users
The security and privacy of our personal data is something that we are concerned about every day more people and with greater intensity. Increasingly, personal data store in “the cloud” and that anyone could have access, in most cases, so just knowing our username and password. Hence lto posted information today is particularly serious, by the volume of users that could affect both qualitative level.
According to ArsTechnicaposted, Tavis Ormandy Google security researcher discovered that a security flaw in Cloudflare, network distribution of content that is used by millions of web sites, has allowed data of the users of over 3,400 sites have been filtered and stored in the cache of search engines.
The service used by 5.5 million web sites may have leaked passwords and authentication tokens.
A sample of the data which Ormandy saw. It’s a message private of the okcupid dating site | Image: ArsTechnica
Those affected sites include signature as popular as Fitbit or Uber, as well as 1Password which, however, has already said that the data of its users remain safely thanks to end-to-end encryption.
We have seen encryption keys, passwords, cookies, pieces of POST data and even HTTPS requests to other major sites hosted in other users cloudflare. Once we understood what we were seeing and the implications, we stopped immediately and contacted the cloudflare security.
Cloudflare admits failure, but may be underestimating its gravity
Cloudflare has already admitted that the security flaw has actually occurred, but both Tavis Ormandy and other security researchers consider that the company is underestimating the severity of the incident. In a post published on the blog of the company under the title “Incident report on memory leak caused by Cloudflare parser bug”, Cloudflare recognizes that the breach was serious, but also notes that there is no evidence that the bug has been exploited.
The error was serious because the filtered memory may contain private information and it would have been cached by search engines. We have not found any evidence of malicious exploitation of the bug or other reports of its existence.
Ormandy has not taken to offer a response to statements by the company stating the post published by Cloudflare offers an excellent “post-mortem” analysis but at the same time “reduces serious risk to clients”.
Recommended to change passwords
Ryan Lackey, another prestigious security researcher, agrees with the statements of Ormandy, and says that, while the probability that passwords are exposed is low, that risk exists, so it is recommended users to change them.
Google, Bing, Yahoo and other search engines have already been deleting the cached data, so the facts are made public now, but ArsTechnica points out that some cached data still remain.