A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites.
Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, a new vulnerability dubbed “Cloudbleed” was discovered through routine fuzz testing. The researcher, Tavis Ormandy, the bad boy of vulnerability research at Google Project Zero, said that on February 17, 2017, said he noticed the leakage of private session keys and other sensitive information across various websites in his results and quickly isolated the problem to those sites hosted by Cloudflare, a content delivery network (CDN) and web security provider.
“I encountered some data that didn’t match what I had been expecting,” Ormandy wrote. “It’s not unusual to find garbage, corrupt data, mislabeled data or just crazy non-conforming data…but the format of the data this time was confusing enough that I spent some time trying to debug what had gone wrong, wondering if it was a bug in my code. In fact, the data was bizarre enough that some colleagues around the Project Zero office even got intrigued.”
Following Project Zero’s seven-day policy for actively exploited attacks, Ormandy made public his findings on Thursday.