Millions of websites from industries including eCommerce, email, government, and banking may have been leaking critically sensitive data for the past two years thanks to a serious bug in the software intended to secure the communication: OpenSSL
Any web applications and services using vulnerable OpenSSL software versions – OpenSSL 1.0.1 through 1.0.1f (inclusive) – can be exploited by an adversary to steal protected information, including session information, credentials, RSA key, etc.
I found a very good video describing the functionality of Heartbleed vulnerability and why it is so critical. You can view the video here.
What does this mean for PAY.ON customers?
Our tech department immediately analyzed and verified all servers (several hundred).
PAY.ON Live system was NEVER affected as a different OpenSSL version is used. The live data and credentials were safe all the time!
The PAY.ON test system, which is technically absolutely independent from the live system, had to be patched. We have no indications that test data was leaked but we recommend that you change your test system password.
Do you have to do anything – also in private life?
The code has been in use for about two years. For now, how long the leak was known to hackers is unknown. Most commonly used service sites like Google patched their sites very fast. Nevertheless, you can’t be sure that your credentials were safe all the time before. A change of passwords of at least the sites in the list found here is highly recommended.
During our analysis we also found out, that a system of Comodo, one of the leading providers for SSL certificates, was affected. We talked to Comodo if there was any chance the Root CA was compromised. Comodo informed us, that this system is not connected to the Root CA and does not handle sensitive information. For us this means that our certificates are safe and no further action has to be taken.
A compromised Root CA would directly result in compromised SSL certificates. All of them. On every server using SSL certificates from Comodo. A change of the Root CA and all connected SSL certificates … a nightmare for all site operators out there.
I myself will take the time to change all my passwords, independently if the respective sites are mentioned as “affected” or not. This is something everybody of us should do from time to time. And please do not share passwords between services – if compromised on one site, the attacker has two accounts without any additional effort.