List of Sites Affected by Cloudflare's HTTPS Traffic Leak

Just got this classy spam from dyn.com. Wonder if they&#x27;re going through this list emailing every domain contact.<p>&gt; As you may be aware, Cloudflare incurred a security breach where user data from 3,400 websites was leaked and cached by search engines as a result of a bug. Sites affected included major ones like Uber, Fitbit, and OKCupid.<p>&gt; Cloudflare has admitted that the breach occurred, but Ormandy and other security researchers believe the company is underplaying the severity of the incident …<p>&gt; This incident sheds light and underlines the vulnerability of Cloudflare&#x27;s network. Right now you could be at continued risk for security and network problems. Here at Dyn, we would like to extend a helpful hand in the event that your network infrastructure has been impacted by today&#x27;s security breach or if the latest news has you rethinking your relationship with Cloudflare.<p>&gt; Let me know if you would be interested in having a conversation about Dyn&#x27;s DNS &amp; Internet performance solutions.<p>&gt; I look forward to hearing back from you.

I wrote this(1) script to check for any affected sites from local Chrome history. It checks for the header `cf-ray` in the response headers from the domain. It is not an exhaustive list but I was able to find few important ones like my bank site.<p>1: <a href="https:&#x2F;&#x2F;gist.github.com&#x2F;kamaljoshi&#x2F;2cce5f6d35cd28de8f6dbb27d586f064" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;kamaljoshi&#x2F;2cce5f6d35cd28de8f6dbb27d...</a>

Today I learned that uber does not have a change password option once you are logged in. You have to log out and pretend you forgot the password. Bad UX if you don&#x27;t know.

Worth noting this statement by Cloudflare CTO:<p>&quot;I am not changing any of my passwords. I think the probability that somebody saw something is so low it&#x27;s not something I am concerned about.&quot;<p><a href="http:&#x2F;&#x2F;www.bbc.co.uk&#x2F;news&#x2F;technology-39077611" rel="nofollow">http:&#x2F;&#x2F;www.bbc.co.uk&#x2F;news&#x2F;technology-39077611</a>

Aww man I submitted my list hours ago but I guess it never made it past the New page. <a href="https:&#x2F;&#x2F;github.com&#x2F;pirate&#x2F;sites-using-cloudflare" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pirate&#x2F;sites-using-cloudflare</a><p>Original post: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13720199" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13720199</a>

That&#x27;s a wide impact. While any hijacked account is bad, some of these are <i>really</i> bad.<p>For example, <a href="https:&#x2F;&#x2F;coinbase.com" rel="nofollow">https:&#x2F;&#x2F;coinbase.com</a> is on that list! If they haven&#x27;t immediately invalidated every single HTTP session after hearing this news this is going to be bad. Ditto for forcing password resets.<p>A hijacked account that can irrevocably send digital currency to an anonymous bad guy&#x27;s account would be target number one for using data like this.

You missed the &quot;possibly&quot; in the header.<p>And the disclaimer right at the top:<p><i>This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It&#x27;s a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised.</i>

For what it&#x27;s worth, as part of work on the effects of DNS on Tor&#x27;s anonymity [1] we visited Alexa top-1M in April 2016, recording all DNS requests made by Tor Browser for each site. We found that 6.4% of primary domains (the sites on the Alexa list) were behind a Cloudflare IPv4-address. However, for 25.8% of all sites, at least one domain on the site used Cloudflare. That&#x27;s a big chunk of the Internet.<p>[1]: <a href="https:&#x2F;&#x2F;nymity.ch&#x2F;tor-dns&#x2F;" rel="nofollow">https:&#x2F;&#x2F;nymity.ch&#x2F;tor-dns&#x2F;</a>

I wrote a simple website[1] to show if user have visited the websites included in the list automatically without browser plug-ins. It uses :visited CSS pseudo-class to highlight the site user have visited before. It is not 100% accurate, but it can be a fun way to quickly show people that they may visit sites on the list.<p>[1]<a href="https:&#x2F;&#x2F;cloudbleed.github.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cloudbleed.github.io&#x2F;</a>

Webmasters and App-devs running on CloudFlare. You (at least) have to &quot;force-logout&quot; your users that have a &quot;remember me&quot; cookie set.<p>At least change the cookie name so the token stops working. For example, in ASP.NET - change the &quot;forms-auth&quot; name in the web.config file

If I have an account on an affected site, but did not interact with the site (via my browser or through some other site with an API call) during the time period when the vuln was live, am I still at risk?

This list doesn&#x27;t appear to include sites that use a CNAME setup with CloudFlare -- i.e. sites on the Business or Enterprise plans that retain their authoritative DNS and use CNAMEs to point domains to a CloudFlare proxy.<p>There probably aren&#x27;t many but with something this serious it could be important. I&#x27;m not sure how one would go about finding the sites that use the CNAME option. If it helps, they use a pattern like:<p><pre><code> www.example.com --&gt; www.example.com.cdn.cloudflare.net </code></pre> Hacker News is one such site, but it&#x27;s listed in the &quot;notable&quot; section (it&#x27;s not in the raw dump).

In an email from Cloudflare sent out this morning they said:<p>&gt; In our review of these third party caches, we discovered data that had been exposed from approximately 150 of Cloudflare&#x27;s customers across our Free, Pro, Business, and Enterprise plans. We have reached out to these customers directly to provide them with a copy of the data that was exposed, help them understand its impact, and help them mitigate that impact.<p>Does this jive at all with the Google or Cloudflare disclosures? They are claiming that across all caches they only found and wiped data from ~150 domains, can that be true?

That list isn&#x27;t that useful... First of all, there is a LOT of pages hosted by CloudFlare @taviso acknowledged that in the original bug report. (<a href="https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=1139#c5" rel="nofollow">https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=11...</a>) Furthermore, you can&#x27;t say which sites were hit by this bug and simply listing all CloudFlare sites is more or less fearmongering. If you are a verified victim of this bug CloudFlare will contact you. Lastly, if you want to be sure to mitigate effects of the attack just do it... If you want to be absolutely sure that your session keys etc will remain uncompromised simply repeal all active session cookies.

Something I have a hard time understanding, is how Cloudfare&#x27;s cache generator page had access to sensitive information ?<p>Were the 2 things running on the same process? If they were not, there&#x27;s no way that the buffer overrun could read an other process memory, right? it would have failed with a segfault type of error.<p>If so, shouldn&#x27;t Cloudfare consider running the sensitive stuff on a different process, so that no matter how buggy their caching engine is, it would never inadvertently read sensitive information?

This is ridiculous and somewhat irresponsible. This is just a list of domains using CloudFlare. The leak was only active under a set of very specific cases (email obfuscation, server-side excludes and automatic https rewrites).<p>I question Pirates (<a href="https:&#x2F;&#x2F;github.com&#x2F;pirate" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pirate</a>) motives for even doing this? Karma? Reputation?

I&#x27;m confused by the &quot;not affected&quot; remarks. I thought the issue was any site which passes data through cloudflare could be leaked by requests to a different site, due to their data being in memory. Have I misunderstood?

Apparently root case was:<p>&#x2F;* generated code *&#x2F; if ( ++p == pe ) goto _test_eof;<p>&quot;The root cause of the bug was that reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer. This is known as a buffer overrun. Had the check been done using &gt;= instead of == jumping over the buffer end would have been caught.&quot;<p>Detailed timeline:<p>&quot;2017-02-18 0011 Tweet from Tavis Ormandy asking for Cloudflare contact information<p>2017-02-18 0032 Cloudflare receives details of bug from Google<p>2017-02-18 0040 Cross functional team assembles in San Francisco<p>2017-02-18 0119 Email Obfuscation disabled worldwide<p>2017-02-18 0122 London team joins<p>2017-02-18 0424 Automatic HTTPS Rewrites disabled worldwide<p>2017-02-18 0722 Patch implementing kill switch for cf-html parser deployed worldwide<p>2017-02-20 2159 SAFE_CHAR fix deployed globally<p>2017-02-21 1803 Automatic HTTPS Rewrites, Server-Side Excludes and Email Obfuscation re-enabled worldwide&quot;<p>Seems like a pretty good response by cloudflare to me.

I&#x27;ve been tinkering with a Python notebook for a few minutes to try to quickly assess how much of my LastPass vault is affected:<p><a href="https:&#x2F;&#x2F;gist.github.com&#x2F;dikaiosune&#x2F;0ca7829884b3b3f790418f0f108fd38f" rel="nofollow">https:&#x2F;&#x2F;gist.github.com&#x2F;dikaiosune&#x2F;0ca7829884b3b3f790418f0f1...</a><p>Improvements welcome.<p>One interesting thing: the raw dump that&#x27;s linked from the list&#x27;s README doesn&#x27;t seem to include a couple of notable domains from the README itself, like news.ycombinator.com or reddit.com. I may be mangling the dump or incorrectly downloading it in some way.<p>EDIT: disclaimer, be responsible, audit how the dump is generated, etc etc etc

Authy is on the list. It would be <i>really</i> nice if they confirmed whether they are vulnerable or not, considering they hold all of my 2FA tokens. Otherwise I&#x27;ll have to re-key the database.

I wrote a python script to help check your LastPass database for any potentially affected sites.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;RidleyLarsen&#x2F;cloudbleed_check_lastpass" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;RidleyLarsen&#x2F;cloudbleed_check_lastpass</a>

Is there a &quot;standard&quot; in the works for changing a password? Stuff like this is happening rather too frequently for my taste. I need a tool I can use to update all my passwords everywhere automatically and store the new ones in my password manager.

I ginned up this little tool tonight to help people out instead of grepping.<p><a href="https:&#x2F;&#x2F;bleed.cloud&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;bleed.cloud&#x2F;index.html</a><p>Sorry for the index.html, trying to figure out how to get index file to work on cloudfront.<p>You can also run the python script on the website anonymously on your computer to dig sites out of your email, which is a good indicator that you have an account with them.

I have hundreds of passwords in my password manager. That&#x27;s going to take a week, considering I also have to work.

This list seems to be missing any sites that are using custom nameservers, which would be common on top sites using the enterprise plans. A better way to detect if the proxy is being used would be to resolve the IP and see if it lies in Cloudflare&#x27;s subnets.

And, I&#x27;ve found several of my domains on this list.. Some of which don&#x27;t host web content etc and only use cloudflare for DNS. The list is currently ~4.3mil entries, which honestly feels like a rather low figure. I have no data to back up my gut feeling though ;)<p>Anyway, I&#x27;m OK with them being on this list, as I believe understanding the scope of the problem is important to figuring out how we prevent these kinda problems in the future.. (For example, answering this question requires understanding who uses CloudFlare: Why are so many sites concentrated on a single infrastructure?)

Thanks for posting and curating this list.

Oh crap. I&#x27;ve entered my banking password into Transferwise quite a few times.<p>Welp, time to change all my passwords.

Do browsers still leak history info (eg <a href="http:&#x2F;&#x2F;zyan.scripts.mit.edu&#x2F;sniffly&#x2F;" rel="nofollow">http:&#x2F;&#x2F;zyan.scripts.mit.edu&#x2F;sniffly&#x2F;</a>) is it possible to have a page show visitors if they are likely to be affected?

What if I sign in with facebook or other? Should I change muy password con facebook or what?

Couldn&#x27;t find a practical description of who is affected anywhere. Is it just the customers who have Cloudflare HTTPS proxy service being affected, or anyone using Cloudflare DNS is affected?

Has Cloudflare fixed the issues? Should I update passwords now or wait?

It would be more useful if there was a way to see sites that actually were using the Cloudflare features that caused this bug. A large number of sites use Cloudflare, but few should have been affected by this bug:<p>&gt; When the parser was used in combination with three Cloudflare features—e-mail obfuscation, server-side excludes, and Automatic HTTPS Rewrites—it caused Cloudflare edge servers to leak pseudo random memory contents into certain HTTP responses. <a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2017&#x2F;02&#x2F;serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2017&#x2F;02&#x2F;serious-cloudflare-...</a>

Unfortunately this seem to include news.ycombinator.com

The list of websites once again reminds me of what avenue Q immortalised in song: the internet is for porn

Just received an email from Glidera, a Bitcoin exchange. This is the first service to ask me to reset my password. I wonder why Uber, NameCheap, FitBit, and many others have yet to warn their users? Is Cloudflare downplaying this?<p>&gt; Hi [Username],<p>&gt; A bug was recently discovered with Cloudflare, which Glidera and many other websites use for DoS protection and other services. Due to the nature of the bug, we recommend as a precaution that you change your Glidera security credentials:<p>&gt; Change your password &gt; Change your two-factor authentication<p>&gt; You should similarly change your security credentials for other websites that use Cloudflare (see the link below for a list of possibly affected sites). If you are using the same password for multiple sites, you should change this immediately so that you have a unique password for each site. And you should enable two-factor authentication for every site that supports it.<p>&gt; The Cloudflare bug has now been fixed, but it caused sensitive data like passwords to be leaked during a very small percentage of HTTP requests. The peak period of leakage is thought to have occurred between Feb 13 and Feb 18 when about 0.00003% of HTTP requests were affected. Although the rate of leakage was low, the information that might have been leaked could be very sensitive, so it’s important that you take appropriate precautions to protect yourself.<p>&gt; The actual leaks are thought to have only started about 6 months ago, so two-factor authentication generated before that time are probably safe, but we recommend changing them anyway because the vulnerability potentially existed for years.<p>&gt; Please note that this bug does NOT mean that Glidera itself has been hacked or breached, but since individual security credentials may have been leaked some individual accounts could be vulnerable and everyone should change their credentials as a safeguard.<p>&gt; Here are some links for further reading on the Cloudflare bug:<p>&gt; TechCrunch article: <a href="https:&#x2F;&#x2F;techcrunch.com&#x2F;2017&#x2F;02&#x2F;23&#x2F;major-cloudflare-bug-leaked-sensitive-data-from-customers-websites&#x2F;" rel="nofollow">https:&#x2F;&#x2F;techcrunch.com&#x2F;2017&#x2F;02&#x2F;23&#x2F;major-cloudflare-bug-leake...</a> &gt; List of sites possibly affected by the bug: <a href="https:&#x2F;&#x2F;github.com&#x2F;pirate&#x2F;sites-using-cloudflare&#x2F;blob&#x2F;master&#x2F;README.md" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;pirate&#x2F;sites-using-cloudflare&#x2F;blob&#x2F;master...</a><p>&gt; If you have any questions or concerns in response to this email, please contact support at: support@glidera.io

I would like to point out that, if most sites used two-factor authentication, this leak would be at most a minor inconvenience. Maybe we should push for that more. Just days ago I talked to Namecheap about its horrible SMS-only 2FA and asked them to implement something actually secure, maybe contact your favorite site if they don&#x27;t have 2FA yet.

Do I need to change my cloudflare password?

Would Internet Archive able to &quot;cache&quot; the leaks?

this is another data point that supports my personal, hare-brained theory that the expectation of privacy on the internet is simply naive, a fool&#x27;s errand. it never existed, and never will.<p>this is despite (or maybe because) of my best efforts to secure systems as a major part of my job.

Volusion.com

The title is misleading (for now). It is just a list of all sites using CF, compromised or not.

&quot;List of Sites <i>possibly</i> affected&quot;<p>Sites using Cloudflare, really. However, Cloudflare say that only sites using three page rules were affected - email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites. [1]<p>Is this over-estimating the impact, perhaps?<p>[1] <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;incident-report-on-memory-leak-caused-by-cloudflare-parser-bug&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;incident-report-on-memory-leak-c...</a>