Cloudflare the security platform that protects websites against hacks and DDOS attacks has been revealed to suffer from a bug in a legacy version of their software has exposed potentially millions of pieces of personal data. Cloudflare is used by millions of websites worldwide including some popular website such as Okcupid, Nasdaq and fastmail
The bug was found on 17th February by Tavis Ormandy a security researcher who works for Google and Cloudflare have now fixed the bug.
The bug allowed for a small amount of private information from one website to end up in the code of another website. So this could have resulted in a private message from a dating app or ecommerce website order appearing on a website where it shouldn’t. Cloudflare say the bug is as only affecting 3000 website running particular HTML that was spewing data from the Cloudflare servers. They have said that they know of about 150 website whose data has been leaked and although the bug has been fixed there is potential that some of the leaked data could have been picked up by Google cache and still be out in the wild.
Although it is believed that the chances of any password information or other sensitive data being used from this leak is very low it does go to show how services such as Cloudflare which are relied on by millions of users everyday could potentially be a gold mine for hackers should another such bug be discovered by them.