List of sites possibly affected by Cloudflare’s Traffic Leak

Great news this morning from Cloudfare →

[…] in some unusual circumstances […] our edge servers were running past the end of a buffer and returning memory that contained private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. And some of that data had been cached by search engines.

List of Sites possibly affected by Cloudflare’s #Cloudbleed HTTPS Traffic Leak →

Between 2016-09-22 – 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.

Requests to sites with the HTML rewrite features enabled triggered a pointer math bug. Once the bug was trigerred the response would include data from ANY other cloudfare proxy customer that happened to be in memory at the time. Meaning a request for a page with one of those features could include data from Uber or one of the many other customers that didn’t use those features. So the potential impact is every single one of the sites using CloudFare’s proxy services (including HTTP & HTTPS proxy).

Emphasis:

This list contains all domains that use cloudflare DNS, not just the cloudflare proxy (the affected service that leaked data). It’s a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudfare has been working on it before it made the announcement.

The infosec team worked to identify URIs in search engine caches that had leaked memory and get them purged. With the help of Google, Yahoo, Bing and others, we found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains. The leaked memory has been purged with the help of the search engines.

But just to be sure, change your passwords & clear your cookiesGitHub users kamaljoshy and avian2 have written some scripts to check domains of saved logins for Chrome and Firefox.

https://gist.github.com/kamaljoshi/2cce5f6d35cd28de8f6dbb27d586f064
https://gist.github.com/avian2/30db0d579732287d758c21ba8ded9393

Update:

Monzo’s Response to Cloudbleed →

Good to see a transparent bank. Anyone willing to try it out, I have a Golden Ticket.