Cloudflare, which provides security and content delivery services to companies like Patreon, Fitbit and OKCupid among others, had a serious bug in its software that caused sensitive data like passwords, cookies to spill in plaintext from its customers’ websites.
This could have allowed anyone who noticed the error to collect a variety of very personal information that is typically encrypted or obscured.
The leak may have been active as early as Sept. 22, 2016, almost five months before a security researcher at Google’s Project Zero discovered it and reported it to Cloudflare.
Tavis Ormandy, a security researcher with Google’s Project Zero, spotted the breach, finding encryption keys, cookies, passwords and HTTPS requests in public caches. He contacted Cloudflare, which then began to work to identify and stop the issue, which came down to a typo in the code that caused a buffer overrun. In its public statement, Cloudflare added that it held off on disclosing the issue until it had ensured that search engine caches had been cleared of any personal data.