Cloudflare Leaks Sensitive User Data Across the Web

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

Re:C strikes again

Would not have helped. The problem with C is that pointers carry no information about the area of memory they're supposed to be point within. C programmers use pointers like indices, but an index alone isn't enough to address memory: You need the array too, and at least conceptually that comes with a size (but of course pure C doesn't stop you from exceeding array bounds.) What happened here is that the program had lots of buffers in contiguous memory, and by exceeding the one it was supposed to work with, it didn't end up serving uninitialized memory but other (initialized and used) buffers for other clients.

Re:Lovely

Problem with 64-character passwords is that a lot of websites/services truncate passwords above a certain length, often without telling the user *cough* PayPal.