|
Bug causes personal data
leak, but no sign of hackers exploiting: Cloudflare
Send a link to a friend
 [February 24, 2017]
By Jeremy Wagstaff
SINGAPORE
(Reuters) - A bug in its software left hundreds of thousands of webpages
hosted by Cloudflare Inc leaking encrypted personal data, but there was
no sign yet the leak had been exploited by hackers, the Internet
security firm said on Friday.
Cloudflare hosts six million websites, spreading them across the
Internet to put them closer to customers while at the same time reducing
their exposure to the so-called Distributed Denial of Service attacks
that might knock them offline.
The data leak was attributable to a bug in the firm's software that had
been sending chunks of unrelated data to users' browsers when they
visited a webpage hosted by Cloudflare, according to Google researchers.
Cloudflare Chief Technology Officer John Graham-Cumming said the problem
had been fixed quickly and most of the exposed data removed from the
caches of search engines like Alphabet's Google.
"We've seen absolutely no evidence that this has been exploited," he
told Reuters by phone. "It's very unlikely that someone has got this
information."
The leakage may have been active from Sept. 22, but the period most
affected was from Feb. 13 until it was discovered on Feb. 18. At its
height earlier this month, Graham-Cumming said, about 120,000 webpages
were leaking information every day.
Some of this data included "private messages from major dating sites,
full messages from a well-known chat service, online password manager
data, frames from adult video sites, hotel bookings" as well as cookies,
passwords and software keys, Google security researcher Tavis Ormandy,
who discovered the bug, wrote in a forum on Feb. 19.
[to top of second column] |
Matthew Prince, chief
executive at an internet start-up company called CloudFlare, poses
in his office in San Francisco December 10, 2012. REUTERS/Gerry
Shih/File Photo
Ormandy also wrote on Twitter that data from ridesharing service Uber [UBER.UL]
and cloud password company 1Password had been leaking. Uber declined to
comment, while AgileBits, the maker of 1Password, denied in a blog post
on Thursday that any personal data had been compromised.
Graham-Cumming said it was difficult to say which of Cloudflare's six
million websites had been affected. He said that Google and Cloudflare
had been working together to remove any sensitive data from the store of
webpages that search engines like Google collect when they index the
web.
He said that process was not yet complete, which is why some researchers
were still finding data if they knew where to look.
Some security researchers have said the problem is more serious than
Cloudflare has described.
Jonathan Sublett of internet security company Shield Maiden said in a
blog post that anyone who accessed sites that used Cloudflare "should
consider their data public and work towards securing their accounts".
Graham-Cumming said it was difficult to say which of their customers
were affected. "There will be a debate about how serious this is," he
said. "We do not know of anybody who has had a security problem as a
result of this."
(Reporting By Jeremy Wagstaff; Editing by Himani Sarkar)
[© 2017 Thomson Reuters. All rights
reserved.] Copyright 2017 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
