A number of high-profile websites have been leaking their users personal data into the ether, thanks to an error by a prominent web services provider. Cloudflare, which provides security and content delivery services to companies like Patreon, Fitbit and OKCupid among others, had an error in its code that caused pieces of memory to dump into web pages. The Register described the issue as sitting down to a fresh table in a restaurant and being handed the previous diner's wallet.
Tavis Ormandy, a security researcher with Google's Project Zero, spotted the breach, finding encryption keys, cookies, passwords and HTTPS requests in public caches. He contacted Cloudflare, which then began to work to identify and stop the issue, which came down to a typo in the code that caused a buffer overrun. In its public statement, Cloudflare added that it held off on disclosing the issue until it had ensured that search engine caches had been cleared of any personal data.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk— Tavis Ormandy (@taviso) February 23, 2017