Cloudflare Bug Puts Corporate Companies at Risk
A software bug at Cloudflare Inc. was disclosed Thursday, February 23. It is believed that this bug has affected company systems since September of last year, causing some of Cloudflare’s web servers to leak information that should have remained private, potentially including passwords and other types of authenticated data.
Before the fix, the bug was said to have affected about one in every 3.3 million web requests processed by its network. Cloudflare serves billions of pages each day, meaning the number of “leaky” pages could add up to nearly 120,000 per day, the company said.
Even worse, some pages were then copied automatically by search engines, making the private information viewable in cached versions of the page’s source code.
Cloudflare has said they have not found any evidence that the leaked data was misused, “Although it is a very scary thing to have private information exposed like this, we think it’s unlikely that someone actually spotted it and did something bad with it.” John Graham-Cumming, Cloudflare’s chief technology officer said in an interview with Wall Street Journal.
It wasn’t immediately clear how many companies were affected by the bug, but Cloudflare has over 5 million customers. Its clients include dating site OkCupid and AngileBits, Inc., maker of the 1Password security software.
The bug was discovered by a researcher at Google a week ago. Cloudflare said it is working with Google and other search-engine companies to remove any leaked data, most of which has been scrubbed by the time the news of the bug was released, Cloudflare said.