Cloudflare bug = possible password leaks (glowforge.com + makezine.com + thingiverse.com + 4,000,000+ other sites possibly effected)

Hirudin · February 25, 2017, 3:26am

These things are frequently overblown, but it’s also probably worth knowing about.

The full list of possibly effected sites is apparently more than 4 million long. Linked below is a site with the full list, a “notable” list, and a list generated by cross-referencing against Alexa’s top 10,000 sites. I read the cross-referenced list to look for sites I have accounts with; it took a while, but I’m glad I did.

Makezine.com and thingiverse.com are the only two that jumped out at me as sites that Glowforgers might also have accounts with, but if you find more please post them below.

Oh, wait… damn.

glowforge.com is in the list of possibly effected sites

github.com

pirate/sites-using-cloudflare/blob/master/README.md

# List of Sites on Cloudflare DNS (archived)

This is an (archived) list of sites on Cloudflare DNS at the time of the [CloudBleed HTTPS traffic leak](https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/) announcement.
Original vuln [thread](https://bugs.chromium.org/p/project-zero/issues/detail?id=1139) by Google Project Zero.

Cloudflare has posted a very detailed response, explaining exactly what the implications of this leak are.  It thoroughly explains their language in earlier statements, and I highly recommend reading it before looking through this list for domains:
https://blog.cloudflare.com/quantifying-the-impact-of-cloudbleed/

### DISCLAIMER:
This list is archived and no longer under active maintenance.  It may contain stale or inaccurate data that will not be corrected.  Do not link to it from press releases, it is not intended for end-users.  If people want to find it, they can Google it.

This list contains *all* domains that use Cloudflare DNS, not just the Cloudflare proxy (the affected service that leaked data).  It's a broad sweeping list that includes everything.  Just because a domain is on the list does not mean the site is compromised, and sites may be compromised that do not appear on this list.

Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns.  I've compiled an unofficial list here so you know where to start searching for sessions to reset and passwords to change.

See [issue #127](https://github.com/pirate/sites-using-cloudflare/issues/127#issuecomment-282385955) and [issue #87](https://github.com/pirate/sites-using-cloudflare/issues/87#issuecomment-282372235) for additional info about which sites are likely to be affected.

## Impact

**Between 2016-09-22 - 2017-02-18 session tokens, passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters.**

This file has been truncated. show original

CNCZone.com is on there too.
formlabs.com (use the “forgot your password” option to change it, also, since the “log out” button/link doesn’t seem to function, use a private browser window to gain access to the “forgot your password” option)
shapertools.com (use the “forgot your password” option to change it)

Hirudin · February 25, 2017, 3:30am

Page to change your Glowforge password…
https://glowforge.com/account

PFI-Guy · February 25, 2017, 3:43am

Another reason why users should NOT use the same password across multiple accounts.

It is a pain in the a** to have separate passwords, but something like LastPass makes password management across multiple devices very tolerable.

Hirudin · February 25, 2017, 3:56am

Very true, using a password manager can be very helpful! 2-Factor-Authentication is good too, when available, except it usually means giving the site your phone number (which I hate doing).

A related/topical Engadget/Wirecutter article…

One of the managers on the list, 1Password, is apparently a site possibly effected by this bug, though it seems that they’re saying that they actually weren’t effected.

Brandon_R · February 25, 2017, 5:22am

Good to know. I use 1Password and have been pretty happy with it. They’re pretty proactive about things.

cynzu · February 25, 2017, 5:23am

"came down to a typo in the code that caused a buffer overrun"
One serious downside about being a programmer is knowing how really easy it is to make stupid errors which can have nasty consequences, and knowing how much really ugly/bad/sloppy horrible code is out there doing important things. scary.

Cloudflare bug = **possible** password leaks (glowforge.com + makezine.com + thingiverse.com + 4,000,000+ other sites possibly effected)

glowforge.com is in the list of possibly effected sites

Cloudflare bug = possible password leaks (glowforge.com + makezine.com + thingiverse.com + 4,000,000+ other sites possibly effected)