Cloudflare issued a vulnerability alert on 2017-02-18: memory leak caused by parser bug.
Vulnerability in Cloudflare parser (which is also known as Cloudbleed) has been recently discovered. Cloudflare edge servers pass the end of a buffer returning memory that contains private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some of that data can be cached by search engines.
The information flowing through Cloudflare that should have been private can be disclosed. This includes HTTP headers, chunks of POST data (perhaps containing passwords), JSON for API calls, URI parameters, cookies and other sensitive information used for authentication (such as API keys and OAuth tokens). Because CloudFlare operates a large shared infrastructure, an HTTP request to a CloudFlare website that is vulnerable to this problem can reveal information about another, unrelated Cloudflare site.
Call to Action
A fix is already applied on Cloudflare servers worldwide. Moreover, all compromised private data has been deleted from a cache of the most popular search engines. However, if the Cloudflare extension was used for a website between September 2016 and February 2017, particular actions are recommended to protect their data:
- Invalidate all sessions for your website and make sure that login cookies for site visitors are invalid: solution for WordPress, solution for Joomla.
- Change you website's administrative accounts password (CMS administrators password, if any).
- Suggest the other accounts' owners change their passwords for the website.
Cloudflare announcement: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Tavis Ormandy's blog: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Tavis is a Google representative who found this bug and reported it to Cloudflare.