Cloudflare / Pass Checker
www.passwordstore.org at sjau.ch
www.passwordstore.org at sjau.ch
Sat Feb 25 14:49:35 CET 2017
Hi Simon
One of the problems is that you might have saved www.domain.tld or
sub.domain.tld in your password-store. They wouldn't match the cfbleed
domain list, as they are only domain.tld.
Another thought I had was just to limit the password-store entries to
domain.tld but then special cases like domain.co.uk wouldn't be missed.
For that reason I iterate every entry in the cfbleed list over the
entries found in the password-store.
Stephan
On 25.02.2017 14:37, Simon Lackerbauer wrote:
> This seems unnecessarily complex. I just cobbled together something real
> quick, which works well for my usecase with filenames being domain
> names, mostly at the password-store root, some in subdirectories:
>
> #!/bin/bash
>
> CLOUDFLARE_FILE=~/sorted_unique_cf.txt
> PASS_STORE=~/dev/password-store/
>
> find ${PASS_STORE} -not -path '*/\.*' -type f -follow -print | while
> read f; do
> base_filename=${f##*/}
> base_filename_without_gpg=${base_filename%.*}
> grep -Fx "${base_filename_without_gpg}" ${CLOUDFLARE_FILE}
> done
>
> Does the job in about 4 seconds for my ~200 passwords. And apparently
> uber.com and patreon.com are affected.
>
> Cheers,
> Simon
>
> On 02/24/2017 01:13 PM, www.passwordstore.org at sjau.ch wrote:
>> Hi there
>>
>> Just learnt today about the cloudflare fiasco. Good that I use pass and
>> have seperate passwords for things.
>>
>> Also, usually I store stuff in Web\domain.tld when I need to make an
>> account at domain.tld.
>>
>> So, I wrote a small bash script that allows to check the Cloudflare
>> domain list with your pass entries to see, if there are services that
>> you use that could be compromised.
>>
>> The current cloudflare domain list can be found here:
>>
>> https://github.com/pirate/sites-using-cloudflare
>>
>> I'm not sure how accurate that is but it has over 4 million domains.
>>
>> Since the script uses bash and bash isn't so slow, it takes quite a
>> while to parse everything (still parsing on my system).
>>
>> Basically what the script does is build an array of your pass entries -
>> omitting the .gpg and the path.
>>
>> Then it reads out the first 1000 entries in the cloudflare list and
>> iterates them over each pass entry. If there's a match, it should write
>> to a seperate text file.
>>
>> All you have to do is download the attached script, set the path to your
>> password-store and the cloudflare domain list and let it run. As said,
>> it will take quite a long time.
>>
>> Feel free to improve the script ;)
>>
>> Stephan
>>
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> https://lists.zx2c4.com/mailman/listinfo/password-store
>>
>
More information about the Password-Store
mailing list