Google Search Results Still Expose Sensitive Data Leaked by ‘CloudBleed’ Bug
Despite helping fix the bug, Google hasn’t cleaned up all the exposed leaked data from its search results.
Image: Alonso Inostrosa Psijas/Flickr
Google was quick to notify CloudFlare last week of the issue and the two companies have since been working to speedily fix the bug, which made websites spew private information, such as passwords, authentication cookies, login credentials or API keys. To make things worse, this data would in turn be cached and recorded by search engines—that's why Google had to remove the sensitive data from its own cache.
But, as it turns out, there's still some leaked data floating around the internet.
Independent security researcher Hector Martin, aka "marcan," found that it was possible to "find random authentication cookies for sites affected by #CloudBleed with a simple Google search." As he put it in a tweet, he said, that is "scary."
"There's no easy way for Google to positively identify every single such page."
For example, Martin found an authentication cookie for a financial website, which would allow a malicious hacker to login as a registered user. Given that this is still possible, Martin added, websites that might be affected need to invalidate all login sessions and tell users to change their passwords.
Martin agreed to share the query he used to find the data with Motherboard, but we're not publishing it to avoid putting users at risk and at the request of Martin himself. Another security researcher also shared slightly different variations of the query, which all appear to return leaked data as of Friday early afternoon.
Read more: The Motherboard Guide To Not Getting Hacked
"The problem is there's no easy way for Google to positively identify every single such page," Martin told Motherboard in an online chat. "You can try using search terms for things that commonly appear in the random junk (that search term is one such term) but it's very hard to come up with some kind of way of guaranteeing that you got them all."
CloudFlare's founder Matthew Prince confirmed that there's still some data leftover.
"We continue to work with Google to clean up their cache," prince told Motherboard in an email. "While the vast majority of data has been cleaned up, there are a handful of pockets we're still identifying and requesting they take down."
"There may be some stragglers on the long tail, we did the best we could. It was a huge operation."
Tavis Ormandy, the Google Project Zero security researcher who originally discovered the bug also seemed to confirm Martin's findings. (Google did not immediately respond to a request for comment.)
"Grr, there may be some stragglers on the long tail, we did the best we could. It was a huge operation," he wrote in a reply to Martin's tweet.
While it remains unlikely that your data was exposed as part of this bug, this might be a good chance to change passwords and start using a password manager, as we suggested this morning.
As an extra precaution, it might be a good idea to log in and then back out after changing passwords in case the website doesn't do that for you automatically on all your devices.