Which of my Firefox passwords might have been compromised by Cloudflare’s memory leak?

Yesterday the internet learned that Cloudflare had been randomly spewing the contents of some connections through their services into other HTTP responses. What fun! Now we need to change all our passwords, rotate our keys, expire sessions, etc. because someone used C code in a sensitive context. But I have hundreds of passwords, and I don't want to change all of them. Here's how I found a set of candidates that could have been affected, using Firefox's password store.

Update 2017-02-24: Uses later date to only check sites in high-risk period.

Update 2017-02-24: Now actually checks if each identified site currently uses Cloudflare, and uses later date.

I use Firefox's password manager, which stores its data as logins.json in my Firefox profile. Convenient! I found it in ~/.mozilla/firefox/*.default/logins.json on my Linux box, where the * is a random prefix specific to my profile. Here's what an example entry looks like, chosen for being one I don't particularly care about if someone somehow manages to decrypt it, and also irony:

  {
    "id": 143,
    "hostname": "http://www.rootthisbox.org",
    "httpRealm": null,
    "formSubmitURL": "",
    "usernameField": "username",
    "passwordField": "password",
    "encryptedUsername": "MDIEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECAMJUfZKgrK7BAiRTVgGoasjtQ==",
    "encryptedPassword": "MDoEEPgAAAAAAAAAAAAAAAAAAAEwFAYIKoZIhvcNAwcECFO7y5x4sEYABBBfmQoVWkou3+rOwf3NxaKs",
    "guid": "{3c55e276-e065-464e-b4e6-225f36b285a3}",
    "encType": 1,
    "timeCreated": 1318635013122,
    "timeLastUsed": 1318635013122,
    "timePasswordChanged": 1318635013122,
    "timesUsed": 1
  },

I want a list of sites where I sent one of those passwords to the site during the affected time window:

  • I'm unclear on the relationship between hostname and formSubmitURL, but I suspect the latter was introduced after the former (and only applies to HTML form logins, not HTTP Auth) so I'll prefer to grab formSubmitURL and fall back to hostname when necessary.
  • The advisory said that the problem started on 2016-09-22. Assuming UTC, midnight of that day is 1474502400000 milliseconds since the UNIX epoch. Update: Cloudflare says the high-risk period started 2017-02-13, a.k.a. 1486944000000, so I'll use that instead.
  • I also don't know exactly how those three timestamps relate to each other, so I'll pick any entry that was used, created, or changed since the start date. Note that this includes sites I've used after Cloudflare implemented their fix, for completeness.

I'll use jq to extract all the sites I logged into since 2017-02-13 and then check each one for using Cloudflare:

cat ~/.mozilla/firefox/*.default/logins.json \
| jq '.logins[]
      | select(.timeCreated > 1486944000000 or .timeLastUsed > 1486944000000 or .timePasswordChanged > 1486944000000)
      | if .formSubmitURL != "" and .formSubmitURL != null then .formSubmitURL else .hostname end' -r \
| sort --unique \
| while read url; do \
    curl -sS -i -m5 -- "$url" \
    | grep cloudflare-nginx && echo "$url"; \
  done

If there's any output, those are the sites where you might want to consider changing your password.


Comments are closed.