<center> # CloudBleed Security Incident (2017) *Originally published 2017-02-25 on [docs.sweeting.me](https://docs.sweeting.me/s/blog).* <img src="https://i.imgur.com/seGYNYS.png" width="20%"/> A summary of my involvement with the 2017 CloudBleed announcement fiasco. --- https://github.com/pirate/sites-using-cloudflare </center> ## Summary Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months. Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy). I compiled a list of all services using Cloudflare in order to allow operators to start checking caches for leaked data and users to request resetting of session tokens. The list was collected from many sources, and naturally contained many false positives and negatives, but nevertheless served as a starting point. It was eventually archived, but it made the news on several occasions so I feel obliged to explain it with a bit more context in this post. <img src="https://i.imgur.com/qGTLeAt.png" width="350px"> <img src="https://i.imgur.com/hlfKim1.png" width="350px"> ## Timeline 📅 1. Cloudbleed announced 2017-02-25 2. Tweet about compiling list: https://twitter.com/thesquashSH/status/834977306812821504 3. Scrape alexa 10,000 4. Post github repo: https://github.com/pirate/sites-using-cloudflare 5. Add crimeflare list: http://www.crimeflare.com/cfs.html 6. Tweet about finding 7,000,000+ domains: https://twitter.com/thesquashSH/status/834963289960509440 7. Post to hackernews 8. De-dupe list with uniq 9. Tweet about narrowing down to 4,000,000 domains 10. post several comments on HN and reddit linking to list 11. Begin accepting PRs for changes 12. Add lots of disclaimers and wording changes 13. Add 8 contributors 14. Accept 200+ issues/PRs in 24 hours 15. Linked to from major news sites ## My Official Statement to Press ✍️ **####################### Disclaimer #######################** This list is archived and no longer under active maintenance. It may contain stale or inaccurate data that will not be corrected. Do not link to it from press releases, it is not intended for end-users. If people want to find it, they can Google it. This list contains *all* domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list. Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I've compiled an unofficial list here so you know where to start searching for sessions to reset and passwords to change. See these issues for info about the timeline of how we initially accepted pull requests edits, then started requiring verification, then stopped updating the list entirely: - [pirate/sites-using-cloudflare/issues/127](https://github.com/pirate/sites-using-cloudflare/issues/127#issuecomment-282385955) - [pirate/sites-using-cloudflare/issues/87](https://github.com/pirate/sites-using-cloudflare/issues/87#issuecomment-282372235) - [pirate/sites-using-cloudflare/issues/213](https://github.com/pirate/sites-using-cloudflare/issues/213#issuecomment-282976158) - [pirate/sites-using-cloudflare/issues/215](https://github.com/pirate/sites-using-cloudflare/issues/215#issuecomment-282974765) ## Press 📰 ### Social Media 🌐 - https://twitter.com/thesquashSH/status/834927855599562752 - https://twitter.com/thesquashSH/status/835291684447666176 - https://twitter.com/thesquashSH/status/834977306812821504 - https://twitter.com/thesquashSH/status/834963289960509440 - https://twitter.com/duckduckgo/status/835244744179580929 - https://news.ycombinator.com/item?id=13720199 - https://news.ycombinator.com/item?id=13721452 - https://www.reddit.com/r/programming/comments/5vtv16/cloudflare_have_been_leaking_customer_https/de5413m/ - https://www.reddit.com/r/sysadmin/comments/5vu3yn/cloudbleed_seceurity_bug_cloudflare_reverse/ - https://www.reddit.com/r/pcgaming/comments/5vvvzx/so_yeah_cloudflare_had_a_leak_change_every/ - https://www.reddit.com/r/OutOfTheLoop/comments/5vvjq0/what_is_cloudbleed/ - https://twitter.com/search?q=cloudbleed%20thesquashsh&src=typd - https://forum.opencarry.org/index.php?threads/security-risk-cloudbleed-opencarry-org.134824/ ### Newspapers 🗞 - https://www.lifehacker.com.au/2017/02/cloudflare-cloudbleed-bug-exposes-sensitive-data-who-is-affected/ - https://www.digitalfrontiersmedia.com/blog/2017/02/25/cloudbleed-which-sites-do-i-need-change-my-passwords - https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/ - http://gizmodo.com/cloudbleed-password-memory-leak-cloudflare-1792709635 - https://www.buzzfeed.com/nicolenguyen/cloudflare-hack-2017-change-your-passwords?utm_term=.rjwMyB8R7#.ceYpRWB0K - https://www.engadget.com/2017/02/24/server-bug-leaks-user-data-for-thousands-of-popular-websites/ - https://blog.discordapp.com/safety-jim-psa-cloudflare-security-issue-77a4ecc48298#.rosl40nw6 - https://techcrunch.com/2017/02/24/how-to-secure-your-data-after-the-cloudflare-leak/ - https://www.forbes.com/sites/thomasbrewster/2017/02/24/google-just-discovered-a-massive-web-leak-and-you-might-want-to-change-all-your-passwords/#6a076e483ca3 - https://www.theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/ - https://ask.slashdot.org/story/17/02/25/2011249/ask-slashdot-how-are-you-responding-to-cloudbleed - http://dealnews.com/features/What-Should-You-Do-About-the-Cloudbleed-Data-Leak/1921868.html - https://www.ghacks.net/2017/02/26/cloudbleed-check-if-you-visited-sites-affected-by-cloudflares-security-issue/