Uber, Fitbit, OkCupid info exposed by 'CloudBleed' flaw

A bug affecting 3,400 websites leaked data, including usernames, passwords and messages sent by users.

Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read
​The login page for OKCupid.com. Web traffic sent over this website and more than 3,000 others was exposed due to a flaw in tool provided by cybersecurity company Cloudflare.

The login page for OkCupid.com. Web traffic sent over this website and more than 3,000 others was exposed because of a flaw in a tool provided by cybersecurity company Cloudflare.

Screenshot by CNET

Usernames and passwords leaked onto the open internet earlier this month because of a security bug that affected 3,400 websites, including popular services like Uber, Fitbit and OkCupid.

You wouldn't mind if someone could break into the personal accounts you use to track your movements, your fitness and your love life, would you?

While there's no indication that hackers actually accessed usernames and passwords, or a wealth of other private data that people sent over the services, the information was exposed both on corrupted versions of the websites and in cached results on search services like Google and Bing.

"The bug was serious because the leaked memory could contain private information and because it had been cached by search engines," John Graham-Cumming, chief technical officer of cybersecurity company Cloudflare, wrote Thursday in a blog post detailing the flaw.

Google security researcher Tavis Ormandy identified the flaw and brought it to Cloudflare's attention late last week. In his report about the bug, which also became public Thursday, Ormandy said he found "private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings."

In his report on the bug, Ormandy joked that he'd thought about calling the flaw "CloudBleed." The name is reminiscent of Heartbleed, a flaw in a key web protocol that exposed sensitive internet traffic for years until it was discovered in 2014. The name CloudBleed took off on social media Thursday when Ormandy's report went public.

The flaw originated in a widely used tool provided by Cloudflare that was meant to help manage and protect internet traffic for the affected websites. In addition to usernames and passwords, messages sent over any of these platforms -- and any other information sent via web browser to the affected sites -- could have been exposed.

Graham-Cumming said 3,400 total websites were using the tool that contained the flaw and confirmed that Uber, Fitbit and OkCupid were among those affected. He declined to name any other services that might have had user data leak due to the problem.

Ormandy said in an email that while 3,400 sites were leaking the data, they were leaking data from all of Cloudflare's customers, which is a much higher number of websites. He also said he found data from password manager service 1Password and helped purge it from search engine caches. However, 1Password's Jeffrey Goldberg, who specializes in security, wrote on Thursday that user information was safe nonetheless.

Even though the encryption that should have kept user information unreadable was broken as part of the flaw, anyone who encountered leaked information from 1Password would still have been unable to parse it. "We have designed 1Password to not depend on the secrecy provided by HTTPS," Goldberg wrote.

Uber said that passwords were not exposed and that "only a handful of session tokens" were affected and have since been changed. Fitbit said it had been assessing any potential impact on its systems' users from the Cloudflare issue, and had taken some internal measures to prevent any future damage.

"Concerned users can change their account password, followed by logging out and in to the mobile application with the new password," the company said in a statement. The company also put together a guide for users on what they can do in response to the bug.

OkCupid also has been looking into the matter and like the others said it would take any necessary steps to protect its users. "Our initial investigation has revealed minimal, if any, exposure," said CEO Elie Seidman.

A trickle of data, and then a surge

The flaw is now fixed and the leaked information has been purged from search engines, meaning it's no longer exposed on the internet. After Ormandy notified Cloudflare, the company set up a team to fix the problem in a matter of hours. The flaw has been resolved since Saturday.

The information was exposed in bits and pieces as users interacted with the affected websites starting in September. The leak peaked in the week of Feb. 13-17, Graham-Cumming said in an interview. The information would appear on the webpage in a seeming string of nonsense, which users would likely not know how to interpret, he said. The data leakage was "ephemeral" because it would disappear the second a user closed the web page.

More worryingly, though, the leaked information was also cached by search engines like Google and Bing as they crawled the web and encountered the corrupted web pages.

After fixing the flaw, Cloudflare focused on erasing any trace of the leaked information from the internet. That meant working with search engines to purge the cached records of the corrupted webpages.

What's the danger?

Graham-Cumming said users don't need to worry about changing their passwords, because there's a very low chance that their login information was found by someone who knew where to look for it.

However, in his report on the bug, Google researcher Ormandy said Cloudflare's disclosure "severely downplays the risk to [Cloudflare] customers." Ormandy was referring to a draft of the disclosure he saw before Cloudflare went public with the news on Thursday.

Ormandy said via email he thinks it would be a good idea for end users of websites that use Cloudflare to change their passwords. The companies that run the websites themselves should also make internal changes, as the tools they use to secure user information were also exposed.

Originally published Feb. 23 at 7:12 p.m. PT.
Updated Feb. 24 at 9:32 a.m., 11:21 a.m., 12:22 p.m. and 3:52 p.m.: Added statements from Uber, Fitbit and OkCupid; added more commentary from Google researcher Ormandy and information about 1Password; added comment from 1Password; added link to user help page from Fitbit.

Life, disrupted: In Europe, millions of refugees are still searching for a safe place to settle. Tech should be part of the solution. But is it? CNET investigates.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility. Check it out here.