Serious Cloudflare bug exposed a potpourri of secret customer data

Mike Goodwin mike.goodwin at
Sat Feb 25 07:21:48 UTC 2017

Useful information on potentially compromised sites due to this:


On 24 Feb 2017, at 10:31 pm, Rich Kulawiec <rsk at<mailto:rsk at>> wrote:

(h/t to Richard Forno)

After you're done reading the Ars Technica article excerpted and linked
below, you may also want to read:

   Cloudflare Reverse Proxies Are Dumping Uninitialized Memory

and, as background:

   CloudFlare, We Have A Problem

and then perhaps consider this comment from the Ycombinator thread:

   Where would you even start to address this? Everything you've
   been serving is potentially compromised, API keys, sessions,
   personal information, user passwords, the works.

   You've got no idea what has been leaked. Should you reset all
   your user passwords, cycle all or your keys, notify all your
   customers that there data may have been stolen?

   My second thought after relief was the realization that even
   as a consumer I'm affected by this, my password manager has > 100
   entries what percentage of them are using CloudFlare? Should
   I change all my passwords?


----- Forwarded message from Richard Forno <rforno at<mailto:rforno at>> -----

From: Richard Forno <rforno at<mailto:rforno at>>
Date: Fri, 24 Feb 2017 07:30:21 -0500
To: Infowarrior List <infowarrior at<mailto:infowarrior at>>
Subject: [Infowarrior] - Serious Cloudflare bug exposed a potpourri of
   secret customer data

Serious Cloudflare bug exposed a potpourri of secret customer data

Service used by 5.5 million websites may have leaked passwords and authentication tokens.

Dan Goodin - 2/23/2017, 8:35 PM

Cloudflare, a service that helps optimize the security and performance of
more than 5.5 million websites, warned customers today that a recently
fixed software bug exposed a range of sensitive information that could
have included passwords, and cookies and tokens used to authenticate

A combination of factors made the bug particularly severe. First, the
leakage may have been active since September 22, nearly five months
before it was discovered, although the greatest period of impact was
from February 13 and February 18. Second, some of the highly sensitive
data that was leaked was cached by Google and other search engines. The
result was that for the entire time the bug was active, hackers had
the ability to access the data in real-time, by making Web requests
to affected websites, and to access some of the leaked data later by
crafting queries on search engines.

"The bug was serious because the leaked memory could contain private
information and because it had been cached by search engines," Cloudflare
CTO John Graham-Cumming wrote in a blog post published Thursday. "We
are disclosing this problem now as we are satisfied that search engine
caches have now been cleared of sensitive information. We have also
not discovered any evidence of malicious exploits of the bug or other
reports of its existence."

The leakage was the result of a bug in an HTML parser chain Cloudflare
uses to modify Web pages as they pass through the service's edge
servers. The parser performs a variety of tasks, such as inserting Google
Analytics tags, converting HTTP links to the more secure HTTPS variety,
obfuscating email addresses, and excluding parts of a page from malicious
Web bots. When the parser was used in combination with three Cloudflare
features???e-mail obfuscation, server-side Cusexcludes, and Automatic
HTTPS Rewrites???it caused Cloudflare edge servers to leak pseudo random
memory contents into certain HTTP responses.
< - >

This email and any attachment to it are confidential. Unless you are the intended recipient, you may not use, copy or disclose either the message or any information contained in the message.
If you are not the intended recipient, you should delete this email and notify the sender immediately. Any views or opinions expressed in this email are those of the sender only, unless otherwise stated. All copyright in any sep2 material in this email is reserved.
All emails, incoming and outgoing, may be recorded by sep2 and monitored for legitimate business purposes.
sep2 exclude all liability for any loss or damage arising or resulting from the receipt, use or transmission of this email to the fullest extent permitted by law.
sep2 limited is Registered in England number 09988870, registered office sep2 limited, Swale Suite, 2nd Floor, 5 York Place, Leeds LS1 2DR

More information about the NANOG mailing list