Follow CBSMIAMI.COM: Facebook | Twitter

MIAMI (CBSMiami) — Google has uncovered a leak that may have exposed passwords and other sensitive information from major companies like Uber and Fitbit.

The company Cloudflare which provides web service to millions of websites encountered a bug that accidentally leaked information for months.

The company’s Founder & CEO Matthew Prince claimed that of the thousands affected in what has been dubbed #cloudbleed, about 150 appeared to have leaked mostly information like concession tickets, but some possibly may have leaked usernames, passwords, and other private information onto the Internet.

Famed Google bug hunter Travis Ormandy referred to the leak claiming it even affected the dating site OKCupid and 1Password as well.

Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc.

— Tavis Ormandy (@taviso) February 23, 2017

Ormandy claimed that he tested the bug causing the leak and was able to get back passwords and encryption keys from other sites hosted by CloudFlare since search engines like Google were caching the information.

“I’ve informed cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything,” claimed Ormandy.

Prince said once Google notified them, they were able to manage it within the hour to stop the leaks. A cause for concern was that Cloudflare’s customers share the same infrastructure – meaning information could have been pulled from various customers.

“All 6 million customers pass throughout network and share resources so it’s almost like a freeway,” said Prince. “They all use the same load and the same infrastructure.”

Prince went on to explain the dilemma after the leak of having to clean up the caches.

“The problem was that Google had already made copies of this information,” said Prince.

He explained the company then went on to clean-up the information from search engines like Google. They made the announcement about the leak on Thursday – a week after they were notified.


Leave a Reply

Please log in using one of these methods to post your comment:

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

More From CBS Miami

What Are People Talking About?
Weather Forecast 24/7Check for current temps and what to expect throughout the day
Get Your Daily DoseHere's some good news just for you.

Watch & Listen LIVE