Cloudbleed: Cloudflare CDNs, does it impact 1Password? [no; see blog.agilebits.com]
Comments
-
That's a neat idea, @hesspaul.
0 -
Those of us who don't understand Terminal at all won't be able to follow your instructions.
Those, like me, who have used Terminal a fair bit but are unfamiliar with github may, again like me, get stuck with the first line of your instructions.
What's the exact syntax following "git clone"? does one have to define a folder to clone to, or is that built automatically? And what exactly is the folder one clones from?
(Later) I worked out how to do it.
git clone https://github.com/weltan/cloudbleed-1password
works fine (though, as I normally run as a non-admin user I had to su to an admin first and sudo the command, as well as agreeing to the xCode lincence
But 1PW had Export greyed out and I didn't see how to export. (Later) That turned out to be because 1PW was set to All Vaults and should have been set to Personal in my case.
0 -
The instructions are lacking, in that they assume you are familiar with Node.js and have npm already installed. Very few on this forum will have this prerequisite. And its non-trivial, as these instructions show.
The Git clone is just way to grab the code and contained files - click the button, save it as a Zip when asked, and open (extract) the zip's contents.
0 -
Yes, the instructions are non-trivial. But they are also fairly easy if one has used Terminal at all (or even if you have never used Terminal but are feeling brave).
However the instructions to run node index.js gave me the error message
Cannot find module 'csv-parse/lib/sync'
Maybe this relates to line 6 of the instructions, as npm will perhaps have been installed elsewhere.
0 -
Not enough for me yet. I tried a few things with Terminal that looked as though they should work. Here's what I got.
MBP-311:~ danco$ cd /Users/danco/cloudbleed-1password
MBP-311:cloudbleed-1password danco$ node index.js
module.js:472
throw err;
^Error: Cannot find module 'domain-name-parser'
at Function.Module._resolveFilename (module.js:470:15)
at Function.Module._load (module.js:418:25)
at Module.require (module.js:498:17)
at require (internal/module.js:20:19)
at Object. (/Users/danco/cloudbleed-1password/index.js:6:20)
at Module._compile (module.js:571:32)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
MBP-311:cloudbleed-1password danco$ npm install
cloudbleed@0.0.1 /Users/danco/cloudbleed-1password
└── domain-name-parser@2.3.0npm WARN cloudbleed@0.0.1 No repository field.
MBP-311:cloudbleed-1password danco$Maybe I do best to wait until AgileBits can do something.
I do have a folder domain-name-parser, but perhaps it is in the wrong place. A further try produced different errors, this time complaining of invalid closing quotes.
However, this is all very interesting, and I quite enjoyed installing Homebrew, which might be useful in the future.
0 -
As I mentioned, I did find the csv-parse and domain-name-parser in the end, but ran into trouble with running the actual script.
ls gives
Dockerfile affectedSites.csv package.json
LICENSE index.js
README.md node_modulesand node_modules does contain both csv-parse and domain-name-parser.
But running node index.js gives
MBP-311:~ danco$ cd /Users/danco/cloudbleed-1password
MBP-311:cloudbleed-1password danco$ node index.js
/Users/danco/cloudbleed-1password/node_modules/csv-parse/lib/index.js:389
throw Error("Invalid closing quote at line " + (this.lines + 1) + "; found " + (JSON.stringify(this._.nextChar)) + " instead of delimiter " + (JSON.stringify(this.options.delimiter)));
^Error: Invalid closing quote at line 424; found "h" instead of delimiter ","
at Parser.__write (/Users/danco/cloudbleed-1password/node_modules/csv-parse/lib/index.js:389:19)
at module.exports (/Users/danco/cloudbleed-1password/node_modules/csv-parse/lib/sync.js:26:10)
at parseUrlsFromCsv (/Users/danco/cloudbleed-1password/index.js:26:13)
at Object. (/Users/danco/cloudbleed-1password/index.js:10:8)
at Module._compile (module.js:571:32)
at Object.Module._extensions..js (module.js:580:10)
at Module.load (module.js:488:32)
at tryModuleLoad (module.js:447:12)
at Function.Module._load (module.js:439:3)
at Module.runMain (module.js:605:10)0 -
@danco, and others,
I wrote a little Perl script to check your URLs against the compiled list of 4,287,594 suspect URLs. It reports your suspect URLs. I'm currently optimizing it, as it is brute force right now.
If anyone is interested, let me know.
0 -
Interested!
(I have already used the NodeJS script, but that gave many timeouts while running)
0 -
Ok, I finished my quick optimizations, and ran the script on my URLs. I found 13 sites on the list (out of almost 350, that's not bad). The scanning took about 3 1/2 minutes. Not too bad for 4.2 million sites! I could optimize it more, but there's not much value in that.
All 13 passwords now changed.
0 -
I would certainly like to use your script.
0 -
@danco - I realized later you were on OS X - sorry for being daft.
@tinywizard, @danco - here are the instructions:
- Download the cloudflare-check.zip file - it will save to Downlods by default. Unzip it there.
- In 1Password, select the Logins group from the sidebar and select all of your Login records.
- File > Export > Selected Items, and chose Comma Delimited Text (.csv) from the File Format pull down
- In the Export dialog, change the File name to
urlexport
- In the Export dialog, remove all of the export fields except for URL - it needs to be the only one that exists in the export.
- In the Export dialog, navigate to your Desktop, and click Save
- Open Terminal
- Type the command
cd ~/Downloads/cloudflare-check
and pressEnter
- Type the command
perl check.pl sorted_unique_cf.txt ~/Desktop/urlexport.csv
The command will run, and you'll see output like:
Building suspects table... Done. Checking URLs against suspects... Checking my.1password.com Found my.1password.com matches: (?^u:^1password($|\.)) Checking www.aa.com Checking calstate.aaa.com Checking www.aa.com ... Checking www.yelp.com Found www.yelp.com matches: (?^u:^yelp($|\.)) Checking zimbra.com Checking www.zipzoomfly.com Done. Suspect URLs my.1password.com ... www.yelp.com
The building of the suspects table will take a few seconds, and then each possible site hit will be evaluated.
Consider changing passwords for all the sites listed under the Suspect URLs, listed at the end of the output. These are possible compromises, it is unknown yet if there is any issue with the site.
0 -
Thank you!
I'm going to try this tonight. I wonder how well the list of suspected sites matches the result of the NodeJS script.
(I will probably change passwords for all sites in the union of the the results)
0 -
Didn't work for me. My issue? Or a typo in your script or instructions?
Running the script just produced a > prompt, no other output. As below. Files download into a folder that (for historical reasons, I have never bothered to change it) is called Mountain Lion Installers.
Last login: Sat Feb 25 10:12:47 on ttys000
You have mail.
MBP-311:~ danco$ cd /Users/danco/Mountain\ Lion\ Installers/cloudfare-check
MBP-311:cloudfare-check danco$ `perl check.pl sorted_unique_cf.txt ~/Desktop/urlexport.csv0 -
Anyone know why my export menu item would be greyed out?
0 -
Anyone know why my export menu item would be greyed out?
For me it was grayed out when All Vaults were selected instead of a single one.
0 -
By the way, given MrC's output result, is it recommended to change the password for a 1PW individual account (which is shown as suspect)? I know that the 1PW protection is excellent, so a change is probably not needed except for the extremely paranoid/vulnerable, and changing my master password is something I would hate to do, the current one is almost embedded in my muscles as well as my mind.
0 -
@danco - sorry, my Markup text in the instuctions for the
perl ...
command was missing a backquote, so it was literally included in the command. I've fixed it in the instructions. The single backquote in the command line would leave the command shell waiting for more input, hence your "no other output".@XIII and @danco, the site list grabbed contains the 4.2 million sites with possible compromises. It isn't known yet if there is any issue. But there is no harm in changing a few passwords, so I just did it, regardless of who says what is secure or not. It takes seconds, and is good practice anyway. I don't consider myself either paranoid or vulnerable - rather just too lazy, or too busy, to spend more time than the seconds it takes to change a password, to analyze whether or not I need to change that password. Life is short.
0 -
I'm going to try this tonight. I wonder how well the list of suspected sites matches the result of the NodeJS script.
The Perl script found 2 additional ones (and missed a few the NodeJS script found before).
Since I had already changed the password for all of the suspects from the NodeJS script I will definitely change the password for these two as well.
0 -
Yes, it worked this time. I don't know if I had several logins for some sites, but I did notice that there were some URLs that came up several times in the list (www.jazzfm.com came about five times).
0 -
OK, not a problem, just wondered.
0