Ivan Tomica

Checking “Cloudbleeded” passwords in password-store (pass)

So, there’s this CloudFlare HTTPS traffic memory leak that happened and it is good idea to change passwords for all of your sites that are using cloudflare. Full list of sites using cloudflare is available on above mentioned Github page.

I’m using pass, simple password manager that stores all of the credentials in gpg encrypted files. I’m not going on explaining what it is in more details since if you’re reading this blog you probably at least know of it. If you have ever used it you know it doesn’t have all those fancy features online password managers like Lastpass have so in case such as this it gets a bit harder to automatically check sites that are affected.

I’ve put together a little bash script to help you check which of your site passwords needs to be changed. Keep in mind that script is basically just comparing list of your gpg files with list of sites using CloudFlare, so I really hope that you’ve think through your pass entry naming scheme properly (using domain name as name of the file).

Script will also print out only entries that needs to be changed along with date of the last change. February 24th, 2017 is date we’re comparing it against. So, without further ado, here’s the script:

#!/bin/bash

LIST="/tmp/sorted_unique_cf.txt"
URL="https://raw.githubusercontent.com/pirate/sites-using-cloudflare/master/sorted_unique_cf.txt"
HOMEDIR="/home/$(whoami)/.password-store/"
DATE="Feb 24, 2017"
NEEDSCHANGING="/tmp/needs-changing.txt"

if [ ! -f "$LIST" ]; then
	wget -O "$LIST" "$URL" &>/dev/null
else
	echo "$LIST already exists. Checking agains that, to update it remove file manually."
fi

for SITE in $(find "$HOMEDIR" -type f -iname "*.gpg" -printf "%f\n" | sed 's/\.gpg$//g'); do
	grep -F -x "$SITE" "$LIST"
done > "$NEEDSCHANGING" 

while read -r CHSITE; do
	find "$HOMEDIR" -type f -iname "*$CHSITE*" ! -newermt "$DATE" -printf "%TY-%Tm-%Td %P\n"
done < "$NEEDSCHANGING"

Save it as some file, let’s say passbleed-check.sh and run it:

chmod 0700 passbleed-check.sh
./passbleed-check.sh
Tagged in:,
About 
Sysadmin on the everlasting journey of learning. Always in search for an opportunity to prove myself and to learn something new. My addiction is learning and my main goal is to excel in every aspect of Linux/Unix system administration.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *