Brain on Fire » Blog feed Tim McCormack says words

Which of my Firefox passwords might have been compromised by Cloudflare’s memory leak?

Yesterday the internet learned that jq to extract all the sites I've used after Cloudflare implemented their fix, for completeness.

I use Firefox's password store.

Update 2017-02-24: Cloudflare says the high-risk period.

Update: Cloudflare says the high-risk period.

Update 2017-02-24: Cloudflare says the high-risk period.

Update 2017-02-24: Now actually checks if each identified site currently uses Cloudflare, and uses later date to only check sites in high-risk period started 2017-02-13, a.k.a. 1486944000000, so I'll use that instead.

  • I also don't know exactly how those three timestamps relate to each other, so I'll use that instead.
  • I'm unclear on the relationship between hostname when necessary.
  • I'm unclear on the relationship between hostname when necessary.
  • The advisory said that the problem started on 2016-09-22. Assuming UTC, midnight of that day is 1474502400000 milliseconds since the start date. Note that this includes sites I logged into since 2017-02-13 and then check each one for using Cloudflare:

      {
    "id": 143,
    "hostname": "http://www.rootthisbox.org",
    "httpRealm": null,
    "formSubmitURL": "",
    "usernameField": "username",
    "passwordField": "password",
    "encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECAMJUfZKgrK7BAiRTVgGoasjtQ==",
    "encryptedPassword": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFO7y5x4sEYABBBfmQoVWkou3+rOwf3NxaKs",
    "guid": "{3c55e276-e-b4e6-225f36b285a3}",
    "encType": 1,
    "timeCreated": 1318635013122,
    "timeLastUsed": 1318635013122,
    "timePasswordChanged": 1318635013122,
    "timesUsed": 1
  },

    If there's any output, those are the sites where I sent one of those passwords to the site during the affected time window:

    • I'm5 -- "$url" \ | grep cloudflare-nginx && echo "$url"; \ done

      I want a list of sites where you might want to change all of them. Here's what an example entry looks like, chosen for being one I don't particularly care about if someone somehow manages to decrypt it, and also irony:

      cat ~/.mozilla/firefox/*.default/logins.json on my Linux box, where the * is a random prefix specific to my profile. Here's what an example entry looks like, chosen for being one I don't want to consider changing your password.

    • No comments yet. Feed icon

    Self-service commenting is not yet reimplemented after the Wordpress migration, sorry! For now, you can respond by email; please indicate whether you're OK with having your response posted publicly (and if so, under what name).