On February 17, 2017, Google Project Zero Security Researcher Tavis Ormandy sent out a cryptic tweet towards Cloudflare’s Security Team:
Could someone from cloudflare security urgently contact me.
— Tavis Ormandy (@taviso) February 18, 2017
Google Project Zero is Google’s special team of some of the most advanced security researchers, or white hat hackers, in the world. For anyone not familiar with Tavis Ormandy’s past work in disclosing major security vulnerabilities in Microsoft Windows, this is not the kind of tweet for which you want to be on the receiving end.
@taviso this is pretty much one of the most horrifying tweets a Cloudflare sec employee could see on a Friday afternoon
— Jon Bottarini (@jon_bottarini) February 18, 2017
Dubbed #CloudBleed, the short summary of the bug is that sending a specifically crafted kind of request to a website hosted on Cloudflare would cause random data from that website to be sent back in the result. Thus, there is potential for any login-based application using a Cloudflare reverse proxy to have accidentally exposed sensitive customer information.
22.5 business hours from the time of disclosure, Cloudflare security had mopped things up, releasing internal analysis putting the actual risk to customers somewhere in the ballpark of winning the lottery. Their detailed post-mortem includes probabilistic numbers saying that even though the bug was accidentally triggered over two million times, no instance of intentional exploitation was discovered. This means that the chances of your password on a website being leaked is limited to being very, very unlucky. But because of the fact that any instance of your leaked password may be stored in the aggressive caching functions of modern day search engines we do recommend changing your passwords — just in case.