Cloudflare.com was redirecting to Clickfunnels.com(cloudflare.com)
cloudflare.com
Cloudflare.com was redirecting to Clickfunnels.com
https://cloudflare.com/
32 comments
Looks like it's back to normal now. I wonder what happened.
A database migration caused the www.cloudflare.com name to get directed (along with a small number of other names). Didn't affect api.cloudflare.com or dash.cloudflare.com, etc.
Totally our doing and not a hack of any kind. Team is writing this up and we'll blog about what went wrong.
Sorry about this error.
Totally our doing and not a hack of any kind. Team is writing this up and we'll blog about what went wrong.
Sorry about this error.
Thanks. Curious: Were DNSSEC validating clients failing to redirect to clickfunnels.com too, or was the misconfiguration on Cloudflare's end such that they weren't?
If it wasn't DNS, then I guess it must have been the reverse-proxy? In that case, if clickfunnels had uploaded their own public CA (or hosted it on pages.dev, which doesn't add sni.cloudflaressl.com to common-name/dns-name), would the redirection still have been without browser errors?
If it wasn't DNS, then I guess it must have been the reverse-proxy? In that case, if clickfunnels had uploaded their own public CA (or hosted it on pages.dev, which doesn't add sni.cloudflaressl.com to common-name/dns-name), would the redirection still have been without browser errors?
Oh wow. I'm pinging the folks I know at CF, but it looks like they got owned. A quick dig shows that cloudflare.com points to the same server running clickfunnels.com; not sure what that indicates about the attack.
EDIT: scratch that, different IP.
EDIT 2: A CURL to www.cloudflare.com gives an error page. A CURL with the FF agent header gives the redirect.
EDIT 3: Word is, not a hack. Configuration mistake.
EDIT: scratch that, different IP.
EDIT 2: A CURL to www.cloudflare.com gives an error page. A CURL with the FF agent header gives the redirect.
EDIT 3: Word is, not a hack. Configuration mistake.
Something similar happened at the CDN I work for about 10 years ago… a custom configuration we made for a customer had a typo in it (it was on the host matching regex… the regex had a trailing |, which caused it to match every host)… this caused every request for any customer to be sent to that one customer. It quickly overwhelmed their origin and caused an outage (the largest one we have ever had, before or since). We wrote a system that is still in place today that loads all new configurations and sends test traffic to it, to make sure the results are as we expect.
We did not get owned: https://news.ycombinator.com/item?id=30069658
ClickFunnels tweeted this one hour ago... https://twitter.com/clickfunnels/status/1485738682346876938
They did, but I'm not sure it's referencing this incident. Doing a cursory look back through their Twitter timeline, the account seems to tweet twice every business day.
Currently it looks like this was a config error, not a hack.
Perfect timing mwahaha
I don't believe for one second that clickfunnels would have done this on purpose. Not that I know them personally, just that it would be a huge backfire if they had. My money's on clickfunnels being a cloudflare client that just happens to be the recipient of some description of forwarder misconfiguration.
Still, not a good look, is it?
Still, not a good look, is it?
There's no such thing as bad press!
But more realistically, I imagine that if this was deliberate they would be sued into oblivion and criminal charges might even be pressed. Don't mess with other rich people.
But more realistically, I imagine that if this was deliberate they would be sued into oblivion and criminal charges might even be pressed. Don't mess with other rich people.
Yeah, definitely not something clickfunnels did: https://news.ycombinator.com/item?id=30069658
It looks like Crunchbase is/was also redirecting to Clickfunnels [1] although I'm not seeing that at the moment.
[1] https://twitter.com/NateSmoyer/status/1485750837322215424
[1] https://twitter.com/NateSmoyer/status/1485750837322215424
clickfunnel... true to its name ;)
https://www.cloudflarestatus.com/incidents/0cp9s9cdw7qx characterizes it as an issue related to a database migration.
https://twitter.com/Yank/status/1485763736103096320 claims to be a Cloudflare community person:
> It was a configuration issue that was limited to the marketing site. The dashboard and all customer sites and services were not impacted.
https://twitter.com/Yank/status/1485763736103096320 claims to be a Cloudflare community person:
> It was a configuration issue that was limited to the marketing site. The dashboard and all customer sites and services were not impacted.
Wow yeah, seeing this as well
wget cloudflare.com --2022-01-24 23:21:32-- http://cloudflare.com/ Resolving cloudflare.com... 104.16.132.229, 104.16.133.229, 2606:4700::6810:85e5, ... Connecting to cloudflare.com|104.16.132.229|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.cloudflare.com/ [following] --2022-01-24 23:21:32-- https://www.cloudflare.com/ Resolving www.cloudflare.com... 104.16.123.96, 104.16.124.96, 2606:4700::6810:7b60, ... Connecting to www.cloudflare.com|104.16.123.96|:443... HTTP request sent, awaiting response... 302 Found Location: https://www.clickfunnels.com?aff_sub=domain_redirect&utm_cam... [following] --2022-01-24 23:21:33-- https://www.clickfunnels.com/?aff_sub=domain_redirect&utm_ca... Resolving www.clickfunnels.com... 104.16.16.194, 104.16.14.194, 104.16.15.194, ... Connecting to www.clickfunnels.com|104.16.16.194|:443... connected. HTTP request sent, awaiting response... 200 OK
wget cloudflare.com --2022-01-24 23:21:32-- http://cloudflare.com/ Resolving cloudflare.com... 104.16.132.229, 104.16.133.229, 2606:4700::6810:85e5, ... Connecting to cloudflare.com|104.16.132.229|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: https://www.cloudflare.com/ [following] --2022-01-24 23:21:32-- https://www.cloudflare.com/ Resolving www.cloudflare.com... 104.16.123.96, 104.16.124.96, 2606:4700::6810:7b60, ... Connecting to www.cloudflare.com|104.16.123.96|:443... HTTP request sent, awaiting response... 302 Found Location: https://www.clickfunnels.com?aff_sub=domain_redirect&utm_cam... [following] --2022-01-24 23:21:33-- https://www.clickfunnels.com/?aff_sub=domain_redirect&utm_ca... Resolving www.clickfunnels.com... 104.16.16.194, 104.16.14.194, 104.16.15.194, ... Connecting to www.clickfunnels.com|104.16.16.194|:443... connected. HTTP request sent, awaiting response... 200 OK
the 302 seems to have stopped already
I'm seeing this, too, but only for www.cloudflare.com — not hosted sites.
Seems to be resolving — I noticed it when automation started failing on https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6 and those are back to normal. Guessing someone is having a rough day…
Right, it seems to be only for their landing page. Their subdomain for their client dashboard still works https://dash.cloudflare.com/
There is a recentish post on the CF forums about this site and redirection
https://community.cloudflare.com/t/strange-redirect-to-click...
Wonder if a configuration error triggered it. Clickfunnels.com is also using Cloudflare and their SaSS offering will to I guess.
https://community.cloudflare.com/t/strange-redirect-to-click...
Wonder if a configuration error triggered it. Clickfunnels.com is also using Cloudflare and their SaSS offering will to I guess.
Looks like nginx vhosts or load balancing got screwed up? DNS is still all pointing to the normal CF hosts.
Side remark: To me every page created with the standard click funnel template screams "scam".
I’d want to see the RCA on this. Is this a manual process and they pushed the wrong config to the wrong hosts?
Seeing this as well. Curious to know what happened.
[deleted]