Scary Backdoor

I think i’ve encountered a potential backdoor into cloudflare via the apps.

There is only one app I have installed

It’s been installed a few days now but I went to see if any new features might be available by visiting the installed cloudflare apps section.

There wasn’t any so I just closed the browser.

Later, I began to notice strange log entries, such as:

https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91

I pasted it into a browser that does not have access to cloudflare (chromium) and was suprised that it logged me right in.

I thought, nah… so then I tried it on firefox and epiphany, insta-logged in!

So then I began to worry and went to proxysite.com and pasted the url into there, again!!!

Now I think it might be remedied but if anybody knows differently, please kill the bonzi-app so I know. The remedy (I think) was simply to choose save settings and step through the process where it says something about sharing your email with the maker of the app.

As so often :wink: I am afraid your question is not overly clear.

Are you saying you installed a Cloudflare application on your account and can now access your dashboard from everywhere without explicitly logging in?

The link you posted does not bring up your account, but only a login screen.

Yeah, I get that a lot (still, the words are more clearer than what’s upstairs in my head":wink:

CF->Apps->Clippy App=Works Fine for days (and still does).

When I went to Clippy (in the apps section) to see if there were any new features added since my install, I was sent to the usual page where you can change features and activate or cancel out.

I made some changes but did neither (I did not cancel out or activate the changes and simply closed the page because I became distracted by something with more legs than me).

Later I noticed in my server logs:

https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91

And as already stated, that regardless of which browser I plugged that url into, it simply had me auto-logged in to CF and at that very apps page where I failed to implement my change or cancel out. I tried in epiphany, midori, firefox, chromium and netsurf browsers (two of them were installed just to verify that I was being auto-logged into CF just by pasting the url that was found to be in my server’s logs).

What about now?

Oh yeah, so finally I cancelled out of the change and proceeded to close the browser. Now the link doesn’t work in any browser. That’s why I think it might be upstream unless there’s some sort of intermediary cache beyond my control (newly installed browser would not ever have visited that link by auto-logging me in to CF).

amen

The URL you posted now is the same as before. I am afraid I can only repeat what I already said. I only get the login screen, I do not get access to your account.

If you do get access to your account this would suggest you have some logon credentials saved within these browsers. Maybe try to purge the browser data and try again.

From what I can tell, the URL in question only seems to start the installation process of that specific application in your Cloudflare account.

I am fully aware that you are not able to go to the link Sandro.

As already stated, the fix was for me to cancel the changes in the app section of CF otherwise you would probably be able to go into that link (which was strangely discovered in my server’s logs).

Unless I’m lying to you, then it’s something, right?

I am not saying you are lying :slight_smile: just that I cannot reproduce that.

If you are convinced there is an issue it is probably best to take this to support directly. They will have more detailed insight and in their case you can also “keep these changes”, so they can log in and check if there really is an issue.

I am afraid the community is not the best place for that. It cant do much about it nor should the information really be public at this point, in case there really is an issue. I’d head straight over to support.

172.69.62.134 - - [19/Mar/2020:08:59:16 -0400] “GET /?=0.ad00nq5zd3f HTTP/1.1" 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”
173.245.54.203 - - [19/Mar/2020:08:59:18 -0400] "GET /?
=0.ad00nq5zd3f HTTP/1.1” 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”
173.245.54.91 - - [19/Mar/2020:09:59:42 -0400] “GET /?=0.4d17gd77xjx HTTP/1.1" 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/80.0.3987.87 Chrome/80.0.3987.87 Safari/537.36”
172.69.62.56 - - [19/Mar/2020:10:00:30 -0400] "GET /?
=0.51b8kg3wunj HTTP/1.1” 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”
173.245.54.203 - - [19/Mar/2020:10:00:30 -0400] “GET /?=0.bhr90aklsm HTTP/1.1" 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”
172.69.63.9 - - [19/Mar/2020:10:00:31 -0400] "GET /?
=0.bhr90aklsm HTTP/1.1” 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”
172.69.63.187 - - [19/Mar/2020:10:03:26 -0400] “GET /?=0.o6sgksgjwy HTTP/1.1" 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Safari/605.1.15 Ubuntu/16.04 (3.18.11-0ubuntu1) Epiphany/3.18.11”
172.69.63.75 - - [19/Mar/2020:10:04:13 -0400] "GET /?
=0.exp1i51fjdh HTTP/1.1” 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Safari/605.1.15 Ubuntu/16.04 (3.18.11-0ubuntu1) Epiphany/3.18.11”
172.69.62.56 - - [19/Mar/2020:10:04:34 -0400] “GET /?=0.qtlz38ijgg HTTP/1.1" 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Ubuntu; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Safari/605.1.15 Ubuntu/16.04 (3.18.11-0ubuntu1) Epiphany/3.18.11”
172.69.62.56 - - [19/Mar/2020:10:14:50 -0400] "GET /?
=0.cgvu4v9zhn7 HTTP/1.1” 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”
173.245.54.109 - - [19/Mar/2020:10:14:51 -0400] “GET /?_=0.cgvu4v9zhn7 HTTP/1.1” 200 19461 “https://dash.cloudflare.com/apps/install/ocwQiYiseVj6/edit?embed=true&dash=true&zone=f712e605ec6d3fef03bc3605fcb52e91” “Mozilla/5.0 (X11; Linux x86_64; rv:74.0) Gecko/20100101 Firefox/74.0”

Not sure what that output is supposed to show. These are just referrer values.

But again, please see my previous response.

I wasn’t posting it for my benefit as much as I was just offering a possible heads-up to a possible problem (afterall if CF breaks we’re all potentially down)

Anonymouskumar,

Why would that be the preferred method (by contacting support) when there’s this thing we’re communicating in now? Most of my questions are novice-type stuff, observances that are potentially a waste of management’s time.

In fact, what other purpose does this forum have but to eliminate the stress and load upon the engineers?

It seems to me it would be more practical to wait for cloonan or one of you other more knowledgeable people to pass it on to management if it were anything at all.

Well taken. Thanks

2 Likes

Hi @springfieldcomputer, the feedback from @sandro & @anon13899255 is great and we appreciate if you route this finding to Support. If & when you do, please share the ticket number here as I’d like to follow it internally to resolution. Short of that, I can open a ticket on your behalf, the net effect will be the same (i.e., you’ll receive copies of the ticket as if you’d filed it yourself). Thank you, we appreciate your comments and contributions.