Earlier this month, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with its edge servers. He reported corrupted web pages being returned by some HTTP requests run through Cloudflare.
Over the weekend, Internet users were being asked to change all their passwords due to the Cloudflare bug. The measures were taken as the reported bug may have leaked passwords, messages and more from website visits.
On Friday, February 24th, Cloudflare announced that it has fixed the flaw. Through a blog post, Cloudflare said that the greatest period of impact was from February 13th to 18th with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage.
John Graham-Cumming, Chief Technology Officer, Cloudflare said:
It turned out that in some unusual circumstances, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data.
And some of that data had been cached by search engines.