- Apr 21, 2016
- 3,429
Cloudflare investigated the mass leaking of encrypted browsing sessions Google's experts discovered but found no evidence of exploitation, despite the huge vulnerability the bug brought to the table.
The company admits that this vulnerability had the potential to be much worse, but, lucky for them, and the users, there's no evidence of malicious exploitation before the patch was rolled out.
"After a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records," Cloudflare says, adding that it has no stopped reviewing the incident.
The company adds that while millions of websites use Cloudflare, the vast majority of the customers had no data leaks, which is good news for obvious reasons.
The company is doing a pretty good job at trying to restore customer and user trust in its infrastructure. Both last week and now, Cloudflare issued a pretty long and detailed account of what happened and why and how things were handled.
Cloudbleed, but not really
It all started when Google security researcher Tavis Ormandy privately disclosed the bug to Cloudflare, which rolled out a fix in record time.
In its disclosure, Cloudflare explains that the problem was caused by faulty code in its edge servers which allowed data to run over the bugger, return memory that wasn't encrypted and expose people's browsing information. The list included HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, and loads more.
Read more: Cloudflare Says Cloudbleed Leaked Loads of Data, But No Trace of Exploitation
The company admits that this vulnerability had the potential to be much worse, but, lucky for them, and the users, there's no evidence of malicious exploitation before the patch was rolled out.
"After a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records," Cloudflare says, adding that it has no stopped reviewing the incident.
The company adds that while millions of websites use Cloudflare, the vast majority of the customers had no data leaks, which is good news for obvious reasons.
The company is doing a pretty good job at trying to restore customer and user trust in its infrastructure. Both last week and now, Cloudflare issued a pretty long and detailed account of what happened and why and how things were handled.
Cloudbleed, but not really
It all started when Google security researcher Tavis Ormandy privately disclosed the bug to Cloudflare, which rolled out a fix in record time.
In its disclosure, Cloudflare explains that the problem was caused by faulty code in its edge servers which allowed data to run over the bugger, return memory that wasn't encrypted and expose people's browsing information. The list included HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, and loads more.
Read more: Cloudflare Says Cloudbleed Leaked Loads of Data, But No Trace of Exploitation
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}