For 5 days within February this year; an information disclosure issue affected Cloudflare’s infrastructure. This led to their systems inadvertently leaking private session keys, website cookies, encryption keys and passwords.
Why should this vulnerability be considered important?
The scale of the issue was large, affecting an estimated 2 million websites. This flaw was due to a coding error within a parser (defined) (undetected at the time) used to modify HTML webpages and related to how the memory containing buffers (defined) of their NGINX (defined) web server functioned. Google Project Zero vulnerability researcher Tavis Ormandy contacted Cloudflare over Twitter who mitigated the issue in 47 minutes and completed their work in less than 7 hours; an incredibly swift resolution. Cloudflare later noted it would usually take 3 months to resolve an issue similar to this.
How can I protect myself from this vulnerability?
Cloudflare documented their findings of this incident within this blog post. Their analysis shows no evidence of attackers using the leaked information for malicious account access, accessing sensitive information or fraudulent purchases (in the case of exposed credit card numbers).
Cloudflare is continuing to review the leaked information and working to remove it from third party caches. They have committed to a review (both internal and with the assistance of external auditor Veracode) of the parser code which inadvertently lead to this information leakage.
As a precaution I would recommend monitoring any affected accounts for unwanted activity and change passwords and enable 2 factor authentication should any unwanted activity take place. The list of affected websites is here.