Error in html parser CloudFlare led to risk of leaking customer login details

A bug in CloudFlare’s HTML parser allowed sensitive data from the company’s customers to leak and data was cached by search engines. After a report from Google, the website optimization service closed the leak in seven hours.

CloudFlare reports that it is not aware of any reports of abuse of the bug. The bug is said to have existed between September last year and last week, content provider CloudFlare reports. Fitbit and Uber, among others, would use the services of CloudFlare and therefore may have been vulnerable. Due to the bug in the code, a small number of requests resulted in a memory leak. Headers, tokens and other login data, among other things, ended up in the cache of search engines and were thus findable.

Google’s Project Zero found the bug and notified CloudFlare. After the report, the service to make e-mail addresses vague was turned off within 45 minutes, which solved a large part. CloudFlare said it had closed the leak after seven hours.

The leak was in the Ragel code in the HTML parser. That parser hid email addresses and converted http links to https. The code did not check properly when the end of the buffer was reached. According to CloudFlare, using “>=” instead of “==” was enough to avoid the problem.