Cloudflare Web Service Error Leaks Website Data, Anime/Manga Companies Respond
posted on by Karen Ressler
Web performance and security service Cloudflare revealed on Thursday that a coding error has caused information leaks from websites that use Cloudflare. The leak caused some sensitive data to to be cached on search engines such as Google.
Google researcher Tavis Ormandy spotted the leak last Friday, and Cloudflare CTO John Graham-Cumming disclosed the issue after the company said it was sure the search engine caches were clear of sensitive data. However, users reported discoveries of cached data after Cloudflare's disclosure. According to Graham-Cumming, the company has not found any instances of the bug being exploited with malicious intent.
Various anime and manga websites that use Cloudflare, including Anime News Network (ANN), responded to the incident.
ANN CEO and Publisher Christopher Macdonald stated, "Given the information that Cloudflare has published, I'm not particularly worried. ANN's servers don't conduct e-commerce (subscriptions and advertisement payments are handled by PayPal), and don't hold sensitive information, so there's not much to be worried about." As a precaution, he recommended that people change their passwords, particularly if they are also used on other sites.
Media distribution service Crunchyroll provided the following statement:
We're pleased to report that Crunchyroll was not affected by the Cloudflare leaks, because we do not use any of the services associated with the leaks. All Crunchyroll user data remains safe.
Crunchyroll also recommends that users "change [their] passwords regularly, and to choose long and complex ones that are not used in other places."
Hentai manga website FAKKU also uses Cloudflare, and investigated the issue after hearing of the leak. Cloudflare confirmed with FAKKU via e-mail that FAKKU "is not one of the domains where we have discovered exposed data in any third party caches." The company advised users to change their passwords if they use the same password for other websites that may have been affected.
FUNimation Entertainment commented that "Funimation's website does not use CloudFlare Proxy services. All subscriber data is secure and was unaffected by this incident."
NIS America provided the following comment:
The NISA Online Store does not make use of Cloudflare's proxy service, and all consumer data related to the store is 100% safe from this leak.
However, our company forums found at www.nisamerica.com/forum are using a Cloudflare proxy service. While the chance that any forum users are affected is extremely low, we are taking appropriate actions to minimize any impact including notifying our registered users of the potential threat and encouraging them to reset their passwords.
More than 5.5 million websites reportedly use Cloudflare to improve performance and security, and to stay online in case of a coordinated attack known as distributed denial of service (DDoS). Developer Nick Sweeting posted an unofficial list of potentially affected websites. Other websites on Sweeting's list include 2ch.net, 4chan.org, anime-planet.com, deviantart.com, patreon.com, and penny-arcade.com, as well as a number of websites that post anime and manga illegally.
The leak may have been active since September 22, but Graham-Cumming stated that the greatest period of impact was February 13-18.
Thanks to Ian W for the news tip.