14 DAY TRIAL // Cloudflare investigated the mass leaking of encrypted browsing sessions Google's experts discovered, but found no evidence of exploitation, despite the huge vulnerability the bug brought to the table.
The company admits that this vulnerability had the potential to be much worse, but lucky for them, and the users, there's no evidence of malicious exploitation before the patch was rolled out.
"After a review of tens of thousands of pages of leaked data from search engine caches, we have found a large number of instances of leaked internal Cloudflare headers and customer cookies, but we have not found any instances of passwords, credit card numbers, or health records," Cloudflare says, adding that it has not stopped reviewing the incident.
The company adds that while millions of websites use Cloudflare, the vast majority of the customers had no data leaks, which is good news for obvious reasons.
The company is doing a pretty good job at trying to restore customer and user trust in its infrastructure. Both last week and now, Cloudflare issued a pretty long and detailed account of what happened and why and how things were handled.
Cloudbleed, but not really
It all started when Google security researcher Tavis Ormandy privately disclosed the bug to Cloudflare, which rolled out a fix in record time.
In its disclosure, Cloudflare explains that the problem was caused by faulty code in its edge servers which allowed data to run over the bugger, return memory that wasn't encrypted and expose people's browsing information. The list included HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, and loads more.
Google, Bing, and even China's Baidu worked together to cach some of the leaked data, scraping it from their search results to help protect people. More than 80,000 unique cached pages have been removed since the flaw was discovered, the company says.
According to Matthew Prince, chief executive of the networking giant, 1.2 million requests were at risk of being leaked since the bug was inadvertently introduced back in September and until February 13 when the bug was fixed.
“The report is technically comprehensive and quite transparent. Even if we cannot verify the accuracy of all the numbers inside – for the moment, I don’t have a valid reason to question either its content, or conclusion. One may say that it’s written in a bit too positive manner, trying to assure their customers, but this is a globally accepted practice. [...] Cloudflare’s reaction to the incident was professional, rapid and transparent. It can serve as an example to other companies," Ilia Kolochenko, web security firm High-Tech Bridge CEO, told Softpedia.