A CloudFlare API was leaking private details incl. API keys, personal/account data, and oauth keys due to a lack of origin protection on the application.
Great response from them, initial response received after only 10 minutes and an effective mitigation was in place within around ~6 hours.
The lack of access control on the https://mobilesdk.cloudflare.com/api/v1/ api allows for a remote attacker to access and steal a logged in user's private data.
This can be done due to the lack of origin protection. An attacker can embed the config URI "https://mobilesdk.cloudflare.com/api/v1/config" as a hidden iframe on their site, and then access/store the victim's JSON output containing the details.
The vulnerability could leak a lot of private details, including but not limited to app private API keys, auth keys, e-mail addresses, names, phone number, location, etc.
Given the client key is "hidden" at start and used to initiate the app signup process, it's possible the attacker may be able to impersonate the user and take control of their app in some way? Although can't verify this, as I don't have the SDK downloaded.