Written by Patrick Howell O'Neill

The private messages you sent on OKCupid last month or the data collected by your FitBit could be floating around the internet right now. Add to that a load of passwords and private data on some of the web’s most popular sites.

Cloudflare, a massive content delivery network and security provider has been vulnerable to a memory leak due to a bug discovered earlier this month by Tavis Ormandy from Google’s Project Zero. Big businesses like Uber, 1Password, OKCupid and FitBit all use Cloudflare’s technology.

As a result of the bug, virtually any traffic that passed through Cloudflare could be public including emails, private messages, passwords and other private data.

Cloudflare confirmed the issue on Thursday. No malicious exploits of the bug in the wild or other reports of its existence have been spotted.

Cloudflare is used by a huge portion of the web: it advertises that it serves more web traffic than Twitter, Amazon, Apple, Instagram, Bing and Wikipedia combined. Figuring out exactly how many and which websites are affected is a mammoth task.

“End users should change their passwords for all sites which are on Cloudflare,” Ryan Lackey, who worked on security at Cloudflare until 2015 when he launched Security Startup #5, told CyberScoop. Getting the full picture of what some on Twitter are calling Cloudbleed is not going to be easy. Cloudflare serves over 2 million websites, according to Lackey, all of which are potentially impacted. The bug’s impact further depends on how Cloudflare’s customers built their own security. 1Password, a password manager site, assured users Thursday that they are not affected. “Given that Cloudflare is a large percentage of consumer websites it might be prudent to just change ALL passwords,” Lackey said. “And use a password manager (1Password, Lastpass, etc.) so each is unique and long/complex.” An email circulating from Cloudflare CEO Matthew Prince says only 150 customers were impacted by the bug. “Cloudflare has said the actual impact is relatively minor, so I believe only limited amounts of information were actually disseminated,” Lackey later wrote. “Regardless, unless it can be shown conclusively that your data was NOT compromised, it would be prudent to act as if it were.”

Cloudflare have been leaking customer HTTPS sessions for months. Uber, 1Password, FitBit, OKCupid, etc. https://t.co/wjwE4M3Pbk — Tavis Ormandy (@taviso) February 23, 2017

The bug, a result of a coding error, made servers for Cloudflare run past the end of a buffer and returned private information like HTTP cookies, authentication tokens and an array of other sensitive data.

Ormandy explained:

It looked like that if an html page hosted behind cloudflare had a specific combination of unbalanced tags, the proxy would intersperse pages of uninitialized memory into the output (kinda like heartbleed, but cloudflare specific and worse for reasons I’ll explain later). My working theory was that this was related to their “ScrapeShield” feature which parses and obfuscates html – but because reverse proxies are shared between customers, it would affect *all* Cloudflare customers.

In layman’s terms: the coding error caused Cloudflare to run out of space to securely store information, so its servers ended up storing that information on the free and open internet.

Since Ormandy’s report, Cloudflare says its researchers worked 24 hours per day on the issue across offices in San Francisco and London. Ormandy, putting in similarly stretched hours, documented his frustration with Cloudflare’s team over recent days: “Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt,” he wrote on Thursday. “Needless to say, this did not convey to me that they take the program seriously.”

Ormandy also noted that Cloudflare’s announcement is “an excellent postmortem but severely downplays the risk to customers.”

While the Cloudflare post puts the “greatest period of impact” from four days, Ormandy says the impact is higher and that they’ve got the data to prove it.

Yes, they worded it confusingly. It was exploitable for months, we have the cached data. — Tavis Ormandy (@taviso) February 24, 2017

Here’s Ormandy targeting Uber: