Cloudflare has blamed an unspecified internal fault for the recent incidents in which it has been reported that the service may have lost client data.
According to the company’s CTO, John Graham-Cumming, about 1 in every 3.3 million requests that the servers of the company were handling between 13th and 18th of February this way may have leaked.
“We think that an internal fault may have led to the memory leakage of a very small percentage of the data that we handle on our secure servers,” he added.
Earlier, Tavis Ormandy, a researcher, had pointed out that the Cloudflare servers were leaking data and that the leakage was made worse by the fact that common search engines were caching the leaked data.
Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk
— Tavis Ormandy (@taviso) February 23, 2017
It has now emerged that the CloudFlare’s server experienced a relatively common problem related to memory leakages. The leakage of sensitive data such as HTTPs cookies and others, which occurred on the servers, is said to have affected some of the major global brands such as Uber, Lyft, OKCupid and others.
None of these companies has commented on the issue, so far. However, CloudFlare says that it took some necessary steps to address the situation immediately; it was notified of its existence by Ormandy.
According to the company, its experts immediately deactivated the Automatic HTTPS, Server-Side Excludes and email obfuscation features on its servers immediately after it had been notified of the fault. But in what may further complicate matters for the company, it is now emerging that the company may not have taken the issue as seriously as it now states.
According to Ormandy, after he notified the cyber security experts at the company about the breach, he was referred to the infamous bug bounty program that the company runs. Interestingly, the company runs a bug bounty program under which it rewards hackers who manage to point out flaws in its systems with T-Shirts.
Speculation is rife that the company may not have given the issue the level of attention and seriousness that it deserved in the first place.
It must be noted that Google started a program under which it sought to find and remove all the data from the service that has been cached on its search engine. The program, which is still undergoing, is expected to reduce the impact of the data leak.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.