CloudFlare security issue may have exposed AnkiWeb data

This morning (Feb 24) a security flaw in one of our network providers was revealed. While there is a good chance no AnkiWeb data was leaked, we recommend changing your password to be safe.

Background

CloudFlare provide servers at different locations around the world. When you connect to a site using CloudFlare, your connection goes first to one of the CloudFlare servers, and then via the CloudFlare server to the site you are connecting to. Because you're connecting to a CloudFlare server close to you, pages tend to load faster than if CloudFlare was not being used. CloudFlare is used by a number of big companies like Uber, Quizlet, Yelp, OkCupid and so on.

AnkiWeb does not currently use CloudFlare for private requests, but we did use it for private requests on a trial basis from approximately Jan 5 - Jan 30 this year.

The security issue

CloudFlare's servers had a bug that could cause private data to be leaked. When a CloudFlare customer served a badly formatted web page, it would sometimes cause a small chunk of memory to be inserted into the page, and that memory could contain data from a request made to a different CloudFlare customer's site beforehand. This means that there is a chance CloudFlare accidentally inserted data from AnkiWeb pages or AnkiWeb syncs into the pages of unrelated websites.

According to CloudFlare, while the issue existed in limited form since Sep last year, the greatest period of impact was between Feb 13 and Feb 18, due to some changes they deployed on the 13th.

What you should do

Because AnkiWeb was not using CloudFlare for private requests during the Feb 13th-18th window, the risk of data having leaked is thankfully fairly slim. That said, because we can't say with 100% certainty that no data was leaked, we recommend you change your AnkiWeb password.

As this issue affects many other websites using CloudFlare as well, you may need to change your password on other sites too - a list of some of the affected sites is available here: https://github.com/pirate/sites-using-cloudflare

If you used the same password and email address on multiple sites, it is also a good idea to change your password on the other sites as well. Using the same password on multiple sites considerably increases your risk when things like this happen. Please consider using a password manager like 1Password or LastPass in the future, as they can generate a unique password for each site and help you keep track of them all.

More technical info

CloudFlare posted about the bug on their website: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-b...

The issue was discovered by Google's Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139