Cloudflare published a blog post of incident happened recently. If you are using, or used to be Cloudflare’s clients, you should pay attention to official announcements and change your administrator passwords and customer passwords if necessary. This bug was founded by Tavis Ormandy who is from Google Project Zero.
According to official blog, in some unusual circumstances, Cloudflare’s edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And the most important is some of that data had been cached by search engines. Before the announcement, Cloudflare team has worked out with search engines to scrub the caches.
Cloudflare has not provided an official list of affected domains, here is an unofficial list of domains may have been affected. As i said, it is unofficial, and not all the domains in the list have been compromised, otherwise, the domains have been compromised may not in the list.
Let’s focus on the incident and stay tuned to official solution of solving this incident.