Cloudbleed: Cloudflare leaks sensitive data, many major websites affected

cloudbleed 2

Security researchers from Google's Project Zero have uncovered a critical bug in Cloudflare which allowed sensitive data -- like passwords, cookies and encryption keys -- from many hosted websites to leak online.

Patreon, Y Combinator, Medium, 4chan, Yelp, OKCupid, Zendesk, Uber and 23and Me are among the most-important affected websites. This security issue is so important that it is now being referred to as cloudbleed.


The bug, which was discovered on February 17 according to Project Zero's Tavis Ormandy and is now fixed, has caused the most damage between February 13 and February 18, according to Cloudflare, when about one in every 3,300,000 HTTP requests caused data to leak.

Ormandy says that the Project Zero team who analyzed the issue "observed encryption keys, cookies, passwords, chunks of POST data and even HTTPS requests for other major cloudflare-hosted sites from other users" in the samples of collected data. Cloudflare was notified on February 18 by Ormandy, via Twitter.

Cloudflare has provided a through incident report on its blog, which explains in depth what caused the bug and how it was fixed, so if you want to learn more about it you can check out this official post.

Cloudflare has a significant number of customers, so the list of affected websites (and apps) is quite substantial. A GitHub project has been set up to identify affected websites, based on data provided by Cloudflare and other resources, and you can check out the list here.

It should be noted that not all websites that use Cloudflare are affected by cloudbleed. The aforementioned GitHub project mentions that, for instance, Slack Overflow, is safe, and so are 1Password and FastMail. In case you are wondering, BetaNews is not a Cloudflare customer, and, as such, is not affected by cloudbleed.

15 Responses to Cloudbleed: Cloudflare leaks sensitive data, many major websites affected

© 1998-2021 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.