(Image source: The Hacker News)

A security vulnerability has been discovered in CloudFlare’s HTML parser that leaked website’s sensitive data. This leaked data includes passwords, private messages, API keys, and other sensitive information.

The vulnerability was discovered a week ago, by a security researcher from Google Project Zero, Tavis Ormandy.  He was seeing corrupted web pages being returned by some HTTP requests run through CloudFlare. Tavis Ormandy contacted CloudFlare to report the security problem and CloudFlare quickly identified the problem.

Cloudbleed - Tavis Ormandy

In a blog post, CloudFlare says: “It turned out that in some unusual circumstances…. our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”

To mitigate the security problem, CloudFlare turned off three minor features – email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites – that were all using the same HTML parser chain that was causing the leakage. Although this bug is serious, CloudFlare claim that they have not discovered any evidence of malicious exploits of the bug or other reports of its existence.

This page on GitHub, gives a list of sites possibly affected by Cloudbleed. Among them are a few notable ones like Yelp, Uber and 1Password.

As the GitHub page notes, it is recommended to change passwords if you are using the affected sites, rotate API keys and secrets and configure 2FA for important accounts.