Content delivery network Cloudflare has confirmed the existence of a bug that caused search engines to cache sensitive user data from a variety of well-known apps and websites. Google researcher Tavis Ormandy discovered and reported the bug to Cloudflare, and the company has since fixed the bug and published a detailed blog post about exactly what happened.

According to Cloudflare, the period of greatest impact for the "parser bug" ran from February 13 to February 18, although the extent of the leak stretches back months. The heart of the issue was a security problem with Cloudflare edge servers, which were returning corrupted web pages by some HTTP requests running on Cloudflare's large network.

cloudflare logo
In what the company referred to as "some unusual circumstances," occasionally private information was returned as well, including "HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data."

It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.

As shared in a tweet by Ormandy this week, that data also included private dating site messages from OKCupid, full messages from a "well-known chat service," passwords from password managing apps like 1Password, and more (via Fortune). In response, some companies -- like 1Password -- have published blog posts confirming that "no 1Password data is put at any risk through the bug reported about CloudFlare."

To expedite a solution, Cloudflare responded to Ormandy's discovery and turned off three minor features of the network -- email obfuscation, Server-side Excludes, and Automatic HTTPS Rewrites -- discovered to be using the same HTML parser chain "that was causing the leakage."

In its blog post, the company said that it has "not discovered any evidence of malicious exploits" in relation to the time that the parser bug was active. It also noted that, while serious, the scale of the bug was still relatively low: around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage. "That’s about 0.00003% of requests," the company noted.

Cloudflare worked with the affected search engines, including Google, Yahoo, and Bing, to erase any remnants of the sensitive data from their caches. The company's chief technology officer, John Graham-Cumming, concluded the blog saying, "We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it."

Earlier this week, it was reported that Apple cut ties with server supplier Super Micro Computer in order to avoid a potential future scenario where user data might be put at risk, similar to Cloudflare's leak. Early in 2016, Apple was said to have discovered a potential security vulnerability in one of Super Micro Computer's data center servers and effectively ended its business relationship with the network company shortly thereafter.

For a technical dive into Cloudflare's parser bug and its origins, check out the company's blog post.

Tag: CloudFlare

Top Rated Comments

AndyK Avatar
AndyK
114 months ago
If you use 1Password you were never at risk anyway ('https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/').
Score: 5 Votes (Like | Disagree)
Parasprite Avatar
Parasprite
114 months ago
If you use 1Password you were never at risk anyway ('https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/').
Note that this means your master password is safe if you happen to use a 1Password account. This doesn't mean that there is any less risk for other data (including logins and other sensitive data).
Score: 1 Votes (Like | Disagree)
campyguy Avatar
campyguy
114 months ago
I get how 1Password can say 'not affected' but I don't get how some of the others can. I have domains and DNS at Namecheap, and read their page about their investigation. I don't understand how they can say not affected, though. Unless I'm misunderstanding what happened, how would they even know (or be able to investigate)? No one logged into their site during the affected time periods?

Anyway, yea, using a password manager is a very good idea, as you can have a good, strong UNIQUE password for every site (i.e.: if one gets compromised, it's only that site). But, changing them can still be a pain for things like Dropbox, email, etc. where the change impacts all your systems and devices.
Sorry for the delay, a client popped in with Scotch - here in the office we couldn't say no to either one… ;)

I'd been poring over my own resources about getting to the bottom of this as well, and cruising the web for a more-narrowed or focused explanation and found one on Wired with some quotes from Cloudflare's CEO that broke it down for me, the whole post is a good read and the CEO's comments begin about halfway down starting with the "What Happens Now" header:
https://www.wired.com/2017/02/crazy-cloudflare-bug-jeopardized-millions-sites/

Keep in mind that the CEO cites a number of affected customers and not a number of affected web sites or portals… Cheers!
Score: 1 Votes (Like | Disagree)
Read All Comments

Popular Stories

2024 iPhone Boxes Feature

Apple Adjusts Trade-In Values for iPhones, iPads, Macs, and More

Thursday November 6, 2025 11:12 am PST by
Apple today updated its trade-in values for select iPhone, iPad, Mac, and Apple Watch models. Trade-ins can be completed on Apple's website, or at an Apple Store. The charts below provide an overview of Apple's current and previous trade-in values in the U.S., according to its website. Maximum values for most devices either decreased or saw no change, but the iPad Air received a slight bump. ...
Read Full Article67 comments
Finder Siri Feature

Apple's New Siri Will Be Powered By Google Gemini

Wednesday November 5, 2025 11:57 am PST by
The smarter, more capable version of Siri that Apple is developing will be powered by Google Gemini, reports Bloomberg. Apple will pay Google approximately $1 billion per year for a 1.2 trillion parameter artificial intelligence model that was developed by Google. For context, parameters are a measure of how a model understands and responds to queries. More parameters generally means more...
Read Full Article367 comments
Liquid Glass General Feature

Apple Shares Liquid Glass Design Gallery

Thursday November 6, 2025 2:45 pm PST by
Apple is promoting the new Liquid Glass design in iOS 26, showing off the ways that third-party developers are embracing the aesthetic in their apps. On its developer website, Apple is featuring a visual gallery that demonstrates how "teams of all sizes" are creating Liquid Glass experiences. The gallery features examples of Liquid Glass in apps for iPhone, iPad, Apple Watch, and Mac. Apple...
Read Full Article107 comments
iOS 26

iOS 26.1 Available Now With These 8 New Features

Monday November 3, 2025 5:54 am PST by
Following more than a month of beta testing, Apple released iOS 26.1 on Monday, November 3. The update includes a handful of new features and changes, including the ability to adjust the look of Liquid Glass and more. Below, we outline iOS 26.1's key new features. Liquid Glass Toggle iOS 26.1 lets you choose your preferred look for Liquid Glass. In the Settings app, under Display...
Read Full Article
airtag purple

Apple's Website Lists AirTag 4-Pack at Shockingly Low Price [Updated]

Friday November 7, 2025 6:40 am PST by
Apple's online store in the U.S. is suddenly offering a pack of four AirTags for just $29, which is the same price as a single AirTag. This is likely a pricing error, and it is unclear if orders will be fulfilled. Apple has not discounted the AirTag four-pack in any other countries that we checked. Delivery estimates are already pushing into late November to early December, suggesting...
Read Full Article91 comments
apple watch se 3 always on

Apple to Remove iPhone-Apple Watch Wi-Fi Sync in EU With iOS 26.2

Thursday November 6, 2025 4:37 am PST by
Apple in iOS 26.2 will disable automatic Wi-Fi network syncing between iPhone and Apple Watch in the European Union to comply with the bloc's regulations, suggests a new report. Normally, when an iPhone connects to a new Wi-Fi network, it automatically shares the network credentials with the paired Apple Watch. This allows the watch to connect to the same network independently – for...
Read Full Article208 comments
ikea smart home devices

IKEA Debuts 21 HomeKit-Compatible Smart Bulbs, Sensors, and Controls

Thursday November 6, 2025 4:08 pm PST by
IKEA today announced the upcoming launch of 21 new Matter-compatible smart home products that will be able to interface with HomeKit and the Apple Home app. There are sensors, lights, and control options, all of which will be reasonably priced. Some of the products are new, while some are updates to existing lines that IKEA previously offered. There are a series of new smart bulbs that are...
Read Full Article73 comments
Home Hub Command Center with Dome Base Feature

Apple's 2026 Smart Home Revamp: All the Rumors

Wednesday November 5, 2025 3:54 pm PST by
It's been over a decade since Apple's HomeKit smart home platform launched, and it is overdue for an update. HomeKit and the Home app can no longer keep up with AI-powered solutions from other companies like Google and Amazon, but that's set to change with a smart home revamp that Apple has planned for 2026. Home Hub Apple is working on a home hub or "command center" that will serve as a...
Read Full Article56 comments