Skip to content

💔 List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Notifications You must be signed in to change notification settings

ksbomj/sites-using-cloudflare

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 

Repository files navigation

List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak

This is a (work-in-progress) list of domains possibly affected by the CloudBleed HTTPS traffic leak. Original vuln thread by Google Project Zero.

DISCLAIMER:

This list contains all domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I'm compiling an unofficial list here so you know what sessions to reset and passwords to change.

See issue #127 and issue #87 for additional info about which sites are likely to be affected.

Impact

Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was triggered the response would include data from ANY other Cloudflare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn't use those features. So the potential impact is every single one of the sites using Cloudflare's proxy services (including HTTP & HTTPS proxy).

"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source

You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme%22%3A%22http%22%7D+CF-Host-Origin-IP&t=h_&ia=web (2/25/2017) DuckDuckGo has removed this data

Confirmed affected domains found in the wild: http://doma.io/2017/02/24/list-of-affected-cloudbleed-domains.html

What should I do?

The most important thing you can do is ask your vendors and sites to reset all their session tokens, as more response data was leaked than request data, and responses generally contain session tokens rather than passwords. If websites you use have a button to "log out all active sessions", use it. Since sites may be compromised this week due to data discovered in caches, it's best to also do this again in a week or two after everything settles down. If websites you use don't have an option to log out all active sessions, contact them and pressure them to rotate all their session tokens.

To be extra safe, you should probably check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. This might sound like fear-mongering, but the scope of this leak is truly massive, and due to the fact that all Cloudflare proxy customers were vulnerable to having data leaked, it's better to be safe than sorry.

Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), you should probably change all your important passwords.

Submit PR's to add domains that you know are using Cloudflare, or remove domains that are not affected.

Methodology

This list was compiled from 3 large dumps of all Cloudflare customers provided by crimeflare.com/cfs.html, and several manually copy-pasted lists from stackshare.io and wappalyzer.com. Crimeflare collected their lists by doing NS DNS lookups on a large number of domains, and checking SSL certificate ownership.

I scraped the Alexa top 10,000 by using a simple loop over the list:

for domain in (cat ~/Desktop/alexa_10000.csv)
    if dig $domain NS | grep cloudflare
        echo $domain >> affected.txt
    end
end

The Alexa scrape, and the Crimeflare dumps were then combined in a single text file, and passed through sort | uniq. I've since accepted several PRs and issues to remove sites that were unaffected from the list.

Data sources:

I'd rather be safe than sorry so I've included any domain here that remotely touches Cloudflare. If I've made a mistake and you believe your site is not affected, submit a PR and I will merge it ASAP, I don't want to hurt anyone's reputation unnecessarily.

You can also ping me on twitter @theSquashSH and I'll respond as soon as I can.

Full List

Download the full list.zip (22mb)

4,287,625 possibly affected domains. Download this file, unzip it, then run grep -x domaintocheck.com sorted_unique_cf.txt to see if a domain is present.

Also, a list of some iOS apps that may have been affected.

Search Tools

Check out our wiki page for an extensive list of websites & scripts to search through the list. You may submit new ones by creating a new issue.

Notable Sites

Alexa Top 10,000 on Cloudflare DNS:

About

💔 List of domains using Cloudflare DNS (potentially affected by the CloudBleed HTTPS traffic leak)

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published