Cloudbleed and ethical disclosure
On February 23rd 2017, the content delivery provider Cloudflare revealed a serious vulnerability in its software for processing webpages as they traveled across its network. Due to a programming error which caused a memory leak, Cloudflare’s software would put server memory into webpages under a specific yet limited set of circumstances. The “server memory” inserted may include “private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data” according to Cloudflare, all of which could be read by an attacker. Some of these webpages with private information have been inadvertently saved by search engines, complicating the issue.
The issue was reported to Cloudflare by Google security researcher Tavis Ormandy, who detailed the course of events following notification on Project Zero’s issue tracker. What I find interesting and which relates to IT
Continue reading →