Security concern regarding API Tokens

Hello,

Around March 20. My email including my Cloudflare account was compromised. I have regained access back to everything on March and I have restored my website 2 times now. But on April 29 I realized in my account settings Cloudflare has an API keys used to access Cloudflare APIs. I was not aware Cloudflare provides API key. And I did not change the API keys after I regained access to my Cloudflare account. I have changed both my Global API key and Origin CA key after realizing this on April 29. I have already opened a support ticket regarding my security concerns but it has been 11 days the ticket is still ongoing and the respond is incredible slow, its been almost a week since and there’s still no respond. It is driving me crazy since this is involving my website / server security concerns.

So I decided to post it on the forum here in hopes someone from Cloudflare can help ease my paranoia and concerns. I have extreme OCD and paranoia and I really hope someone can help me ease my concerns regarding this.

I have looked into Audit logs and there were no logs of the unauthorize user viewing my Global API key. But in regards to the Origin CA Key API tokens. I realize, viewing the Global API key it tracks and shows the activity in the Audit log. BUT when I view the Origin CA Key in the account API Tokens, it does not show up in the Audit logs I tested it by viewing them myself, it does not register and track them in the audit logs.

So right now I am concern rather if the Unauthorize user viewed and has had access to my Origin CA API key between the dates I was still unaware of it before I changed it on April 29.

As to my understanding ( Please correct me if I am wrong ), The Origin CA Key in my API tokens can be used to create and revoke origin certificate through the API. The Cloudflare support in my ticket mentioned that

If someone has your origin private key, they could theoretically set up host and point your site to it without raising any alarm with regard to the origin SSL. I would suggest revoking the existing SSL and configuring a new one on the origin server if you have a concern about this.

Is there any way to check and verify through logs if the above happened?

I don’t have origin certificate set up on my Cloudflare and server. I am only using Cloudflare Edge Certificate. I have provided screenshot of my Cloudflare SSL configuration below.

I also tested and realize that whenever I create and revoke an origin certificate through UI on Cloudflare, It does not track and show on Audit logs. Are there any way for me to know if my Origin CA Key in my API tokens was used or not? and if there were any history of origin certificate being created or revoked.

If you have no Origin Certs in your account, then any that were created were revoked and are now worthless.

Not to mention that they’re the equivalent of a self-signed certificate. They’re only valid on a site proxied by Cloudflare, and Cloudflare isn’t going to proxy your domain through another account.

Hello thank you for the respond,

So lets say a possibility the malicious user created the origin certificate and then revoked it after he was done using it to hide his tracks. Since I only realized about the Api key on the 29th April which means he had plenty of time to create and revoke it.

  • What damage could’ve been done?

  • Is there any way I could verify if the Origin CA API key was even used?

  • Is there even any way to check if there were any history of Origin certificate being created? Audit logs doesn’t show

  • Especially what the Cloudflare support mentioned

If someone has your origin private key, they could theoretically set up host and point your site to it without raising any alarm with regard to the origin SSL. I would suggest revoking the existing SSL and configuring a new one on the origin server if you have a concern about this.

  • Should I be worried about this? In doing the above, what damage could’ve been done?

For them to use that certificate, they would have to do something that would show up in the audit logs. Such as:

  • Add a subdomain for a malicious website
  • Change the IP address of an existing hostname that points to a malicious website

Hello, Thank you so much for easing my concerns but I have some question I would like to clarify,

When the Cloudflare support mention in my ticket.

If someone has your origin private key, they could theoretically set up host and point your site to it without raising any alarm with regard to the origin SSL. I would suggest revoking the existing SSL and configuring a new one on the origin server if you have a concern about this.

1.Will he be able to use the origin certificate created in my Cloudflare account and install the certificate onto his own server and do anything malicious with it like pointing my site to his own server for example?

2.Because I am not too sure what did Cloudflare support exactly meant when they mentioned

set up host and point your site to it without raising any alarm

(a) Did they meant when they install the certificate onto their own server and then they would NEED to change my Cloudflare DNS settings and change the IP address and point it to their server IP to be able to even use the origin certificate. If not the origin certificate won’t work and its useless if they don’t do this

or

(b) Using the origin certificate private key and installing the origin certificate onto their server and they are able to point my site to their server without the need to even change my Cloudflare DNS settings.

  • Add a subdomain for a malicious website
  • Change the IP address of an existing hostname that points to a malicious website

3.I assume the subdomain and the change of IP Address you mention would have been at the DNS section of my Cloudflare?

This topic was automatically closed after 30 days. New replies are no longer allowed.