This post originally appeared on the JadoPado Blog and has been re-produced here to preserve the JadoPado historical record.
On the 23rd of February, one of our service providers, Cloudflare reported that a memory leak had been caused by a bug in its HTML parser which was initially detected by Tavis Ormandy from Google’s Project Zero on the 16th of February. Tavis worked with the Cloudflare team over the next few days to mitigate the issue to the greatest extent possible, before announcing it publicly.
Cloudflare explains that “our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.”
Cloudflare’s initial mitigation took 47 minutes, and a global fix was in place in under 7 hours whilst they continued to work with Google and other search engines to remove any cached HTTP responses.
Based on information that we’ve received from Cloudflare, we have not been affected, but as a precaution, we responded swiftly on the 24th of February, by invalidating all user sessions, cookies and authentication tokens including API keys. At this time, we do not believe that forcing a reset of user credentials is necessary.
Additional measures that you can take
We strongly encourage that all users reset their passwords across all services affected by Cloudbleed, and continue to advocate that absolutely everyone should use a password manager.