'Cloudbleed' post-mortem points to huge data leak, but no evidence of exploitation

The networking giant Cloudflare didn't underplay the severity of the bug, but did downplay the scope in which users' encrypted data may have been inadvertently exposed over the past six months.
Written by Zack Whittaker, Contributor

Cloudflare's investigation into an inadvertent mass leaking of encrypted browsing sessions found that the bug was triggered over a million times in the past six months before it was fixed.


"Cloudbleed," named after a mashup between a similar bug, Heartbleed, and the company's name.

But while on one hand the networking giant said the vulnerability had the "potential to be much worse," engineers found "no evidence" that the bug was maliciously exploited before it was patched.

Lucky break.

"Given the scale of Cloudflare, the impact was potentially massive," said Matthew Prince, chief executive of the networking giant, in a blog post Wednesday.

It comes as Cloudflare, which provides website infrastructure, content delivery, and security to millions of websites, tries to restore trust in its service after a serious flaw allowed sensitive and encrypted information to leak onto the web.

Google security researcher Tavis Ormandy privately disclosed the bug to Cloudflare, which rolled out a fix within "minutes", said Prince.

The company explained in its disclosure that buggy code in its edge servers allowed data to run over the buffer and return memory that wasn't encrypted.

Or, as Ormandy put it: "We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."

The problem was compounded by search engines, including Google, Bing, and China's Baidu, caching some of the leaked data. More than 80,000 unique cached pages have been removed since the flaw was discovered, said Prince.

Prince confirmed in the blog post that 1.2 million requests were at risk of being leaked since the bug was inadvertently introduced in late-September until February 13 when the bug was fixed.

He also said, despite Ormandy's claim, that there were no credit cards or bitcoin addresses found in the leaked data, no health records or social security numbers, and no customer passwords.

Cloudflare confirmed that customer SSL private keys were not leaked.

Editorial standards