Yes, it was random “uninitialized memory” data. It could have leaked data that would allow access to passwords and internal systems though (someone said including Cloudflare API keys). Problem is that Cloudflare is connected to a huge portion of the internet (well probably not as big as Akamai but still quite large) and yes it was a small number of requests but that still adds up because it was a page rewrite issue (so every served page on affected sites had the problem). It could have just as easily been three words from someone’s comment about smelly armpits.
There’s also the problem that the leaked memory data could have appeared somewhere else, if I understand it correctly. So there’s no real way to find out who saw what from which sites, because it was just random crud.
Basically, depending on what was running through Cloudflare it could have been worse than an individual’s passwords.
The biggest problem is not even that the data was leaked, but how it was found. The data was found because it was being indexed by search engines.
And then there’s the fact that they will not fix it. They fixed the symptom but not the cause, and it’s concerning that people don’t seem to notice. The cause being there shouldn’t be uninitialized memory that the program has access to. Basically, they didn’t bother the clear the memory like they should. And still aren’t.
It was a combo of three of their services that caused it under certain circumstances, and basically their ‘initial mitigation’ was to turn one of them off. Wow, I could have figured that out. “It’s not working right! Turn it off!”
It could have been a leak of anything, or nothing. Who knows? They specifically worked with the search engines to purge the data, so we can’t see it anymore, but I can guarantee you somebody somewhere found something interesting. And will use it in the future.
The risk is very small, but it is a reminder that it’s best to change passwords randomly, and not use the same ones for multiple sites/services. And that blindly trusting the little green lock icon is trust misplaced.
And because I forgot the forums don’t like me to reply individually anymore, this is to @bolharr2250:
If it’s easy to use, it’s easy to screw up, or attack. With Cloudflare in particular, how was it ever secure to intermingle people’s secure data? Most load balancing could be eliminated if people would just quit filling code with massive chucks of nothing, like loops instead of direct access (as a simple example). And with free, you get what you pay for. APIs are one of the most misused ideas on the internet.
Yes, but there’s no reason to do that via an API.
That’s true too, but how would someone vet something like Cloudflare? It’s not like people could hire a bunch of experts and say “give me access to your internal systems so I can review them.” Well, you could, if you had the money, but I think I know what the answer to the access request would be.