Uber, Yelp, OKCupid among major iOS apps potentially affected by massive 'Cloudbleed' leak

By Roger Fingas

Content delivery network Cloudflare has suffered a serious, months-long breach of user data, including content from thousands of websites and iOS apps Uber, Fitbit, Yelp, and OKCupid, according to reports.

The incident is thought to have begun in late September and peaked between Feb. 13 and 18, ArsTechnica said. Cloudflare explained that a glitch with its edge servers caused buffer overruns, in turn coughing up private data like passwords, cookies, and authentication tokens that was cached by search engines.

No private SSL keys were leaked, Cloudflare said, adding that it hasn't encountered any evidence of parties exploiting the situation. The leaks were stopped by temporarily turning off email obfuscation, server-side excludes, and automatic HTTPS rewrites while a fix was implemented.

Search engines like Google and Bing reportedly began clearing cached data before the breach was allowed to become public knowledge, but Ars noted that some sensitive data may still be in the wild.

A Google researcher, Tavis Ormandy, brought the issue to Cloudflare's attention last Friday. In response to the latter's blog post however, Ormandy suggested that it "severely downplays the risk to customers." A GitHub page is offering a list of potentially affected sites, though its author notes that it includes all domains using Cloudflare DNS, not just the Cloudflare proxy involved in the leaks.

One service that has acknowledged being affected -- 1Password -- insisted that no sensitive data was exposed in its case, since it encrypts data in transit.

According to mobile app security firm NowSecure, at least 200 iOS apps may be impacted, a few bigger examples being ABC News, Breitbart, CNN, Dropbox, and Microsoft Outlook. The real tally could be higher, since the number comes from a sample of 3,500 more popular titles.

It's recommended that people using affected apps or websites change their passwords, and monitor related activity.

The issue is sometimes being nicknamed "Cloudbleed," a reference to the Heartbleed vulnerability discovered in some versions of OpenSSL in 2014.