MIAMI (CBSMiami) — Google has uncovered a leak that may have exposed passwords and other sensitive information from major companies like Uber and Fitbit.
The company Cloudflare which provides web service to millions of websites encountered a bug that accidentally leaked information for months.
The company’s Founder & CEO Matthew Prince claimed that of the thousands affected in what has been dubbed #cloudbleed, about 150 appeared to have leaked mostly information like concession tickets, but some possibly may have leaked usernames, passwords, and other private information onto the Internet.
Famed Google bug hunter Travis Ormandy referred to the leak claiming it even affected the dating site OKCupid and 1Password as well.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
Ormandy claimed that he tested the bug causing the leak and was able to get back passwords and encryption keys from other sites hosted by CloudFlare since search engines like Google were caching the information.
“I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” claimed Ormandy.
Prince said once Google notified them, they were able to manage it within the hour to stop the leaks. A cause for concern was that Cloudflare’s customers share the same infrastructure – meaning information could have been pulled from various customers.
“All 6 million customers pass throughout network and share resources so it’s almost like a freeway,” said Prince. “They all use the same load and the same infrastructure.”
Prince went on to explain the dilemma after the leak of having to clean up the caches.
“The problem was that Google had already made copies of this information,” said Prince.
He explained the company then went on to clean-up the information from search engines like Google. They made the announcement about the leak on Thursday – a week after they were notified.