A new thread for temporary maximum visibility and explained in the main post that will appear first in a moment. Thanks to Outlaw09 spotting the circulation.
Cloudfare: Alert passwords compromised
A new thread for temporary maximum visibility and explained in the main post that will appear first in a moment. Thanks to Outlaw09 spotting the circulation.
davidbfpo
Cloudfare: Alert passwords compromised
Warning for SWJ commenters and bloggers and or blogsites....
List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak
https://github.com/pirate/sites-usin...ster/README.md
For those late to it, yes, you probably should change your passwords on sites that use CloudFlare as a precautionDISCLAIMER:
This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised. This list will be narrowed down to the affected domains as I get more information. This is a (work-in-progress) list of domains possibly affected by the CloudBleed HTTPS traffic leak. Original vuln thread by Google Project Zero.
Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I'm compiling an unofficial list here so you know what passwords to change.
Impact
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source
You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22sch...IP&t=h_&ia=web
What should I do?
Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), so to be safe you should probably change all your important passwords.
Submit PR's to add domains that you know are using cloudflare
Methodology
This list was compiled from 3 large dumps of all cloudflare customers provided by crimeflare.com/cfs.html, and several manually copy-pasted lists from stackshare.io and wappalyzer.com. Crimeshare collected their lists by doing NS DNS lookups on a large number of domains, and checking SSL certificate ownership.
I scraped the Alexa top 10,000 by using a simple loop over the list:
for domain in (cat ~/Desktop/alexa_10000.csv)
if dig $domain NS | grep cloudflare
echo $domain >> affected.txt
end
end
The alexa scrape, and the crimeflare dumps were then combined in a single text file, and passed through uniq | sort. I've since accepted several PRs and issues to remove sites that were unaffected from the list.
Data sources:
https://stackshare.io/cloudflare
https://wappalyzer.com/applications/cloudflare
DNS scraper I'm running on Alexa top 10,000 sites (grepping for cloudflare in results)
https://www.cloudflare.com/ips/ (going to find sites that resolve to these IPs next)
http://www.crimeflare.com/cfs.html (scrape of all cloudflare customers)
http://www.doesitusecloudflare.com/
I'd rather be safe than sorry so I've included any domain here that remotely touches cloudflare. If I've made a mistake and you believe your site is not affected, submit a PR and I will merge it ASAP, I don't want to hurt anyone's reputation unecessarily.
You can also ping me on twitter @theSquashSH and I'll respond as soon as I can.
Full List
Download the full list.zip (22mb)
4,287,625 possibly affected domains. Download this file, unzip it, then run grep -x domaintocheck.com sorted_unique_cf.txt to see if a domain is present.
Also, a list of some iOS apps that may have been affected.
https://bugs.chromium.org/p/project-...etail?id=1139#
To be clear, this isn't some nation state level attack: data is cached in search engines right now
Last edited by OUTLAW 09; 02-24-2017 at 08:44 AM.
CloudBleed: check if you visited sites affected by CloudFlare’s security issue
By Martin Brinkmann on February 26, 2017 in Security - Last
Update:February 26, 2017
CloudBleed is the unofficial name for a security issue discovered on February 17th, 2017 that affected CloudFlare's reverse proxies.
CloudFlare is a large provider that is used by more than 5.5 million Internet properties according to the company's website. It offers CDN and DDOS protection, optimization technologies for websites, dedicated SSL and a lot more.
The basic service is offered for free, but webmasters and organizations may upgrade to a paid plan for additional features and better protection.
The security issue at hand caused the servers to "run past the end of a buffer" which returned memory that contained private information. Among other things, it might have included HTTP cookies, authentication tokens, HTTP Post bodies, and other sensitive data.
The issue was disclosed by Google's Project Zero, and has since been fixed by CloudFlare.
Cloudbleed
The main issue for Internet users is that their authentication cookies or data may have leaked. Search engines may have cached the data, and attackers may have exploited the issue as well to gather the data.
Since there is no record whether individual user data was leaked or not, some experts suggests that users change passwords on all sites and services that use CloudFlare. This is a difficult thing for most users however, as it is quite time consuming to find out whether services and sites use CloudFlare.
The Firefox add-on and Chrome Extension CloudBleed changes that. Designed by the NoSquint Plus author, it is parsing the browsing history of the browser to reveal any site or service that uses CloudFlare.
This enables you to go quickly through the listing to identify sites that you have an account on.
The extensions work identical in both browsers. Simply install it in your browser of choice, and click on the icon that it adds to the main toolbar of the browser.
The page that loads includes a short explanation, and a search button that you need to click on. The extension goes through the browsing history then, and checks whether sites in the history were affected by the issue.
Some sites may appear multiple times in the listing. An option to filter sites by domain, or subdomain, would have been useful.
The author notes that all processing is done on the local system. All that is left afterwards is to go through the list to identify the sites with accounts.
Closing Words
CloudBleed is a handy browser extension for Google Chrome and Firefox. You may use it to reveal sites affected by CloudFlare's recent security issue quickly, provided that you did not delete the browsing history in the meantime.
Now You: Have you changed account passwords of affected sites?
Posting Permissions
Reply With Quote
Bookmarks