• This repository has been archived on 18/Jan/2018
  • Stars
    star
    1,911
  • Rank 24,257 (Top 0.5 %)
  • Language
  • Created over 7 years ago
  • Updated over 7 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

πŸ’” Archived list of domains using Cloudflare DNS at the time of the CloudBleed announcement.

List of Sites on Cloudflare DNS (archived)

This is an (archived) list of sites on Cloudflare DNS at the time of the CloudBleed HTTPS traffic leak announcement. Original vuln thread by Google Project Zero.

Cloudflare has posted a very detailed response, explaining exactly what the implications of this leak are. It thoroughly explains their language in earlier statements, and I highly recommend reading it before looking through this list for domains: https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/

DISCLAIMER:

This list is archived and no longer under active maintenance. It may contain stale or inaccurate data that will not be corrected. Do not link to it from press releases, it is not intended for end-users. If people want to find it, they can Google it.

This list contains all domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I've compiled an unofficial list here so you know where to start searching for sessions to reset and passwords to change.

See issue #127 and issue #87 for additional info about which sites are likely to be affected.

Impact

Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source

You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme%22%3A%22http%22%7D+CF-Host-Origin-IP&t=h_&ia=web (2/25/2017) DuckDuckGo has removed this data

Confirmed affected domains found in the wild: http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html

What should I do?

The most important thing you can do is ask your vendors and sites to reset all their session tokens, as more response data was leaked than request data, and responses generally contain session tokens rather than passwords. If websites you use have a button to "log out all active sessions", use it. Since sites may be compromised this week due to data discovered in caches, it's best to also do this again in a week or two after everything settles down. If websites you use don't have an option to log out all active sessions, contact them and pressure them to rotate all their session tokens.

To be extra safe, you may want to check your password managers and change crucial passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all Cloudflare proxy customers were vulnerable to having data leaked, many of the extra cautious people out there would rather be safe than sorry.

Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one).

Methodology

This list was compiled from 3 large dumps of all Cloudflare customers provided by crimeflare.com/cfs.html, and several manually copy-pasted lists from stackshare.io and wappalyzer.com. Crimeflare collected their lists by doing NS DNS lookups on a large number of domains, and checking SSL certificate ownership.

I scraped the Alexa top 10,000 by using a simple loop over the list:

for domain in (cat ~/Desktop/alexa_10000.csv)
    if dig $domain NS | grep cloudflare
        echo $domain >> affected.txt
    end
end

The Alexa scrape, and the Crimeflare dumps were then combined in a single text file, and passed through sort | uniq. I've since accepted several PRs and issues to remove sites that were unaffected from the list.

Data sources:

I'd rather be safe than sorry so I've included any domain here that remotely touches Cloudflare. Don't point end-users to this list please, it has too many false positives to be useful for non-analytical purposes. I'm no longer accepting PRs to remove sites from the list, our previous process to remove sites was error-prone and labor intensive. The list is now in archive mode, consider it defunct. If you think for some reason this will greatly impact you or your users, DM me on twitter.

Full List

Download the full list.zip (22mb)

4,287,625 possibly affected domains. Download this file, unzip it, then run grep -x domaintocheck.com sorted_unique_cf.txt to see if a domain is present.

Also, a list of some iOS apps that may have been affected.

Search Tools

There are several tools out there to search the list, I wont endorse any here due to them having greatly varying degrees of accuracy. Please do not make user-facing tools to search the list or cross-reference it with browser history, this list has too many false positives to use for that purpose. You will make users lose trust in many sites, despite there being less than a 1 in a million chance of them having data leaked.

Notable Sites

Alexa Top 10,000 on Cloudflare DNS:

More Repositories

1

wireguard-docs

πŸ“– Unofficial WireGuard Documentation: Setup, Usage, Configuration, and full example setups for VPNs supporting both servers & roaming clients.
Shell
4,398
star
2

security-growler

πŸ“‘ A Mac menubar app that notifies you whenever SSH, VNC, sudo, or other auth events occur.
Python
857
star
3

crypto-trader

πŸ’° Cryptocurrency trading bot library with a simple example strategy (trading via Gemini).
Python
608
star
4

mesh-networking

🌐 LEGO blocks for networking, a Python library to help create and test flexible network topologies across real and simulated physical links.
JavaScript
360
star
5

wikipedia-mirror

🌐 Guide and tools to run a full offline mirror of Wikipedia.org with three different approaches: Nginx caching proxy, Kiwix + ZIM dump, and MediaWiki/XOWA + XML dump
Shell
331
star
6

WebRTCChat

πŸ” Pure Browser To Browser Chat (STUN & ICE Servers optional)
JavaScript
254
star
7

mac-keyboard-brightness

πŸ”† Programmatically get & set the keyboard & display backlight brightness on Macs. Flash your keyboard to the music! (only works on <2015 Macs)
C
217
star
8

bash-utils

A collection of hand-crafted bash scripts for various common tasks.
Shell
209
star
9

fish-utils

πŸ”§ My utility belt of fish functions, writing these has saved me many hours in the long run... I hope...
Shell
135
star
10

spellchecker

πŸ“– A spell-checker extending Peter Norvig's with multi-typo correction, hamming distance weighting, and more.
Python
96
star
11

mesh-botnet

🐍 Proof-of-concept python IRC botnet for orchestrating macOS computers (harmless due to SIP & Gatekeeper)
Python
83
star
12

django-http2-middleware

⚑️Django middleware to automatically send preload headers before views runs, enabling faster HTTP2 server-push (with CSP support).
Python
67
star
13

django-concurrency-talk

🎭 Database Integrity in Django: Safely Handling Critical Data in Distributed Systems
JavaScript
53
star
14

internet-archiving-talk

🎭 An introduction to the Internet Archiving ecosystem, tooling, and some of the ethical dilemmas that the community faces.
JavaScript
47
star
15

gzint

βœ‚οΈ A python3 library for efficiently storing massive integers (stands for gzipped-integer).
Python
41
star
16

macOS-global-autocomplete

πŸ“ƒ System-wide autocompleting that learns what you type and works in any app! (also slightly scary maybe don't use this...)
C
40
star
17

quebec-power-grid-talk

🎭 Quebec's 735kv power lines can survive the apocalypse, but can they run TCP?!
JavaScript
33
star
18

Cpp-Data-Structures

πŸ“ C++ Implementations of data structures & algorithms from PSU course CS162/CS163
C++
23
star
19

nicksweeting.com

πŸ’» The code for my website, including the game of life and other easter eggs.
HTML
18
star
20

500.html

A nice 500.html page template to use in django/jinja2 projects.
HTML
9
star
21

experiments

✨ Random (sometimes xkcd-inspired) Python, Haskell, and JS experiments involving data science and algorithm fun.
Python
9
star
22

inject-luxinate

πŸ’‰ Inject download buttons into web pages that Luxinate is capable of downloading songs from.
Python
7
star
23

txmoderna.com

Moderna's domain name is modernatx, not txmoderna
HTML
5
star
24

china-vpn

πŸ€„ Wordpress site which powers my free VPN service (with extras)
PHP
5
star
25

music-bot

♬ A facebook messenger bot that listens for music links in chats and converts them to Apple Music IDs.
JavaScript
4
star
26

squasher-browser-extension

Extension to collect all open browser tabs for a given domain into a new window (with suspender support).
JavaScript
4
star
27

pirate.github.io

Nothing to see here.
HTML
3
star
28

docker.hera

Setup for the Hera Cloudflare Argo Tunnel manager for Docker
3
star
29

throws

❗ Proposal for a new 'throws' keyword in python.
Python
3
star
30

archivebox-codespace

Codespace scratchpad for working on ArchiveBox development
EJS
2
star
31

stevesweeting

🎢 Steve Sweeting Music
CSS
1
star