Cloudflare quickly responded, outlining in detail that the leak was caused by a “buffer overrun.” So, good news: the culprit for the leak was a bug. But here’s the major problem: the information was cached by search engines like Google, Bing, Yahoo and others.As Forbes outlines, since Cloudflare typically hosts content from different sites on the same server, one vulnerable website could reveal information about a separate, unrelated Cloud Flare site. From Ormandy: "I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.If you don't see this as a news-opening piece on TV it only confirms that journalists know nothing about tech. Let's see I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.
What’s worse: it appears they could have unknowingly been dumping sensitive info across the Internet since September of 2016.
It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialised memory into the output,” he said.
“My working theory was that this was related to their "Scrape Shield" feature which parses and obfuscates html - but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers,” he said.
He said that that the format of the data was confusing and after a while it became clear that he was looking at chunks of uninitialised memory interspersed with valid data.
“A while later, we figured out how to reproduce the problem.