Cloudbleed: Cloudflare CDNs, does it impact 1Password? [no; see blog.agilebits.com]

2

Comments

  • That's a neat idea, @hesspaul.

  • danco
    danco
    Volunteer Moderator
    edited February 2017

    @weltan

    Those of us who don't understand Terminal at all won't be able to follow your instructions.

    Those, like me, who have used Terminal a fair bit but are unfamiliar with github may, again like me, get stuck with the first line of your instructions.

    What's the exact syntax following "git clone"? does one have to define a folder to clone to, or is that built automatically? And what exactly is the folder one clones from?

    (Later) I worked out how to do it.

    git clone https://github.com/weltan/cloudbleed-1password

    works fine (though, as I normally run as a non-admin user I had to su to an admin first and sudo the command, as well as agreeing to the xCode lincence

    But 1PW had Export greyed out and I didn't see how to export. (Later) That turned out to be because 1PW was set to All Vaults and should have been set to Personal in my case.

  • MrC
    MrC
    Volunteer Moderator

    @danco,

    The instructions are lacking, in that they assume you are familiar with Node.js and have npm already installed. Very few on this forum will have this prerequisite. And its non-trivial, as these instructions show.

    The Git clone is just way to grab the code and contained files - click the button, save it as a Zip when asked, and open (extract) the zip's contents.

  • zendnez
    zendnez
    Community Member

    Really appreciated the post from @julie-tx about penetration and security testing. It was transparent and confidence inspiring. Just wanted to say "Thanks".

  • danco
    danco
    Volunteer Moderator

    @MrC

    Yes, the instructions are non-trivial. But they are also fairly easy if one has used Terminal at all (or even if you have never used Terminal but are feeling brave).

    However the instructions to run node index.js gave me the error message

    Cannot find module 'csv-parse/lib/sync'

    Maybe this relates to line 6 of the instructions, as npm will perhaps have been installed elsewhere.

  • @zendnez

    Glad it helped. :+1: :)

    Ben

  • weltan
    weltan
    Community Member

    @danco @MrC

    I've updated the readme instructions to be better, hope that helps. But yes, this is really for technical folks. Hopefully 1Password comes out with something useful itself.

  • danco
    danco
    Volunteer Moderator

    Not enough for me yet. I tried a few things with Terminal that looked as though they should work. Here's what I got.

    MBP-311:~ danco$ cd /Users/danco/cloudbleed-1password
    MBP-311:cloudbleed-1password danco$ node index.js
    module.js:472
    throw err;
    ^

    Error: Cannot find module 'domain-name-parser'
    at Function.Module._resolveFilename (module.js:470:15)
    at Function.Module._load (module.js:418:25)
    at Module.require (module.js:498:17)
    at require (internal/module.js:20:19)
    at Object. (/Users/danco/cloudbleed-1password/index.js:6:20)
    at Module._compile (module.js:571:32)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:488:32)
    at tryModuleLoad (module.js:447:12)
    at Function.Module._load (module.js:439:3)
    MBP-311:cloudbleed-1password danco$ npm install
    cloudbleed@0.0.1 /Users/danco/cloudbleed-1password
    └── domain-name-parser@2.3.0

    npm WARN cloudbleed@0.0.1 No repository field.
    MBP-311:cloudbleed-1password danco$

    Maybe I do best to wait until AgileBits can do something.

    I do have a folder domain-name-parser, but perhaps it is in the wrong place. A further try produced different errors, this time complaining of invalid closing quotes.

    However, this is all very interesting, and I quite enjoyed installing Homebrew, which might be useful in the future.

  • DanielP
    DanielP
    1Password Alumni

    Hi @danco

    Can you please paste the output of ls inside your /Users/danco/cloudbleed-1password folder?

  • danco
    danco
    Volunteer Moderator

    As I mentioned, I did find the csv-parse and domain-name-parser in the end, but ran into trouble with running the actual script.

    ls gives

    Dockerfile affectedSites.csv package.json
    LICENSE index.js
    README.md node_modules

    and node_modules does contain both csv-parse and domain-name-parser.

    But running node index.js gives

    MBP-311:~ danco$ cd /Users/danco/cloudbleed-1password
    MBP-311:cloudbleed-1password danco$ node index.js
    /Users/danco/cloudbleed-1password/node_modules/csv-parse/lib/index.js:389
    throw Error("Invalid closing quote at line " + (this.lines + 1) + "; found " + (JSON.stringify(this._.nextChar)) + " instead of delimiter " + (JSON.stringify(this.options.delimiter)));
    ^

    Error: Invalid closing quote at line 424; found "h" instead of delimiter ","
    at Parser.__write (/Users/danco/cloudbleed-1password/node_modules/csv-parse/lib/index.js:389:19)
    at module.exports (/Users/danco/cloudbleed-1password/node_modules/csv-parse/lib/sync.js:26:10)
    at parseUrlsFromCsv (/Users/danco/cloudbleed-1password/index.js:26:13)
    at Object. (/Users/danco/cloudbleed-1password/index.js:10:8)
    at Module._compile (module.js:571:32)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:488:32)
    at tryModuleLoad (module.js:447:12)
    at Function.Module._load (module.js:439:3)
    at Module.runMain (module.js:605:10)

  • MrC
    MrC
    Volunteer Moderator

    @danco, and others,

    I wrote a little Perl script to check your URLs against the compiled list of 4,287,594 suspect URLs. It reports your suspect URLs. I'm currently optimizing it, as it is brute force right now.

    If anyone is interested, let me know.

  • XIII
    XIII
    Community Member

    Interested!

    (I have already used the NodeJS script, but that gave many timeouts while running)

  • MrC
    MrC
    Volunteer Moderator

    @XIII ,

    Yeah, I didn't like the approach used in the script. There's no reasons to bang on all those domains for all the possible users.

  • MrC
    MrC
    Volunteer Moderator
    edited February 2017

    Ok, I finished my quick optimizations, and ran the script on my URLs. I found 13 sites on the list (out of almost 350, that's not bad). The scanning took about 3 1/2 minutes. Not too bad for 4.2 million sites! I could optimize it more, but there's not much value in that.

    All 13 passwords now changed.

  • danco
    danco
    Volunteer Moderator

    I would certainly like to use your script.

  • MrC
    MrC
    Volunteer Moderator

    @danco,

    Sure thing. I'll place it in my AgileBits dropbox folder. Are you on OS X or Windows? I'll give instructions.

  • tinywzrd
    tinywzrd
    Community Member

    @MrC Would love to try out your script too. OSX

  • MrC
    MrC
    Volunteer Moderator
    edited February 2017

    @danco - I realized later you were on OS X - sorry for being daft.

    @tinywizard, @danco - here are the instructions:

    1. Download the cloudflare-check.zip file - it will save to Downlods by default. Unzip it there.
    2. In 1Password, select the Logins group from the sidebar and select all of your Login records.
    3. File > Export > Selected Items, and chose Comma Delimited Text (.csv) from the File Format pull down
    4. In the Export dialog, change the File name to urlexport
    5. In the Export dialog, remove all of the export fields except for URL - it needs to be the only one that exists in the export.
    6. In the Export dialog, navigate to your Desktop, and click Save
    7. Open Terminal
    8. Type the command cd ~/Downloads/cloudflare-check and press Enter
    9. Type the command perl check.pl sorted_unique_cf.txt ~/Desktop/urlexport.csv

    The command will run, and you'll see output like:

    Building suspects table... Done. Checking URLs against suspects... Checking my.1password.com Found my.1password.com matches: (?^u:^1password($|\.)) Checking www.aa.com Checking calstate.aaa.com Checking www.aa.com ... Checking www.yelp.com Found www.yelp.com matches: (?^u:^yelp($|\.)) Checking zimbra.com Checking www.zipzoomfly.com Done. Suspect URLs my.1password.com ... www.yelp.com

    The building of the suspects table will take a few seconds, and then each possible site hit will be evaluated.

    Consider changing passwords for all the sites listed under the Suspect URLs, listed at the end of the output. These are possible compromises, it is unknown yet if there is any issue with the site.

  • XIII
    XIII
    Community Member

    Thank you!

    I'm going to try this tonight. I wonder how well the list of suspected sites matches the result of the NodeJS script.

    (I will probably change passwords for all sites in the union of the the results)

  • danco
    danco
    Volunteer Moderator

    Didn't work for me. My issue? Or a typo in your script or instructions?

    Running the script just produced a > prompt, no other output. As below. Files download into a folder that (for historical reasons, I have never bothered to change it) is called Mountain Lion Installers.

    Last login: Sat Feb 25 10:12:47 on ttys000
    You have mail.
    MBP-311:~ danco$ cd /Users/danco/Mountain\ Lion\ Installers/cloudfare-check
    MBP-311:cloudfare-check danco$ `perl check.pl sorted_unique_cf.txt ~/Desktop/urlexport.csv

  • hesspaul
    hesspaul
    Community Member
    edited February 2017

    Anyone know why my export menu item would be greyed out?

  • XIII
    XIII
    Community Member

    Anyone know why my export menu item would be greyed out?

    For me it was grayed out when All Vaults were selected instead of a single one.

  • hesspaul
    hesspaul
    Community Member

    Thanks @XIII it looks like I have to select them one at a time. I took advantage of the recent 1Password for Teams upgrade to reorganize so I have 17 vaults to do. :| Catch-22. I wish Watchtower would do this work for us!

  • danco
    danco
    Volunteer Moderator

    By the way, given MrC's output result, is it recommended to change the password for a 1PW individual account (which is shown as suspect)? I know that the 1PW protection is excellent, so a change is probably not needed except for the extremely paranoid/vulnerable, and changing my master password is something I would hate to do, the current one is almost embedded in my muscles as well as my mind.

  • XIII
    XIII
    Community Member

    is it recommended to change the password for a 1PW individual account

    According to the AgileBits blog post that is not necessary.

  • MrC
    MrC
    Volunteer Moderator
    edited February 2017

    @danco - sorry, my Markup text in the instuctions for the perl ... command was missing a backquote, so it was literally included in the command. I've fixed it in the instructions. The single backquote in the command line would leave the command shell waiting for more input, hence your "no other output".

    @XIII and @danco, the site list grabbed contains the 4.2 million sites with possible compromises. It isn't known yet if there is any issue. But there is no harm in changing a few passwords, so I just did it, regardless of who says what is secure or not. It takes seconds, and is good practice anyway. I don't consider myself either paranoid or vulnerable - rather just too lazy, or too busy, to spend more time than the seconds it takes to change a password, to analyze whether or not I need to change that password. Life is short.

  • XIII
    XIII
    Community Member

    I'm going to try this tonight. I wonder how well the list of suspected sites matches the result of the NodeJS script.

    The Perl script found 2 additional ones (and missed a few the NodeJS script found before).

    Since I had already changed the password for all of the suspects from the NodeJS script I will definitely change the password for these two as well.

  • danco
    danco
    Volunteer Moderator

    Yes, it worked this time. I don't know if I had several logins for some sites, but I did notice that there were some URLs that came up several times in the list (www.jazzfm.com came about five times).

  • MrC
    MrC
    Volunteer Moderator

    Good to hear @danco. Yes, I didn't remove potentially duplicate URLs, because I really can't. A domain XXX.example.com and example.com may be entirely different sites, one or both being listed on the suspects list.

  • danco
    danco
    Volunteer Moderator

    OK, not a problem, just wondered.

This discussion has been closed.