The bug that made me give up on CloudFlare

Hello, I stopped using Cloudflare for security reasons and would like to clarify the reasons for you to have the opportunity to fix this issue as soon as possible.

The bug is in the Crawler Hints system. When two websites are using Cloudflare, one site can send information to IndexNow as if it were the other site.

For example, I had Crawler Hints disabled on my Cloudflare, but this doesn’t matter to criminals because all they have to do is create a fake website and use Cloudflare with their site’s Crawler Hints activated. This way, somehow, they were able to send indexed page information to IndexNow.

Example of a website used by criminals to deceive the Crawler Hints:

The consequence of this is that they use the WordPress search system to index pages with advertisements. To see an example, just type (DO NOT SHARE LINKS TO SITES YOU THINK ARE MALICIOUS)
into Google to see the consequences of this attack.

How they use IndexNow’s authority to pretend to be another site, I don’t know, as I haven’t researched how IndexNow authentication works. However, I’m 99% sure it’s a flaw in Cloudflare that allows one site to pretend to be another when sending information to IndexNow.

Yoast SEO also wrote about this on their blog Is your site the victim of internal site search spam? • Yoast

Thank you for bringing this to our attention. We understand the potential security implications and assure you that Cloudflare treats all security concerns with high importance.

When made aware, we will immediately escalate this to our Product Security Team. I noticed in an article you shared from last year that pitches Yoast SEO Premium that the author made mention of being “in touch with Cloudflare” but I do not see any reference to any such discussion.

In the meantime, please report this directly through our HackerOne Bug Bounty Program (


So did Cloudflare address this issue? This shows as solved but there is nothing stating that you have eliminated this opportunity which has significant consequences. So it is really not solved. How do we know that this is being addressed because I agree…this is a remove my domains from Cloudflare bug as the consequences are not just temporary…it is half a year to recover from this type of attack.