Heartbleed

From IndieWeb


Heartbleed was a security vulnerability announced 2014-04-08 in OpenSSL, a common open source library used in https connections.

The vulnerability has been widespread since 2012-03-14 when OpenSSL version 1.0.1 (with the bug) was released.[1] Any software or services which incorporated or updated OpenSSL since that date may have been (still be) vulnerable.

This page is for the indieweb community to keep track of various services and software that anyone in the community may have been using that was vulnerable to Heartbleed but has been patched since - please add to it.

Sites affected

The following sites and services reported being affected, that is they admit being vulnerable, and possibly attacked (e.g. by email to their users, blog posts, or headers upon login)

  • IFTTT - users notified by email 2014-04-09:

    Subject: Security Update

    A major vulnerability in the technology that powers encryption across much of the internet was discovered this week. Like many other teams, we took immediate action to patch the vulnerability in our infrastructure.

    IFTTT is no longer vulnerable.

    Though we have no evidence of malicious behavior ... We encourage you to change your password not only on IFTTT, but everywhere ...

    Strong emphasis added.
  • Tumblr - users notified by email 2014-04-11:

    A major vulnerability has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr. Our team took immediate action to fix the issue, but you should still take some time to change your password...

  • Venmo - users notified by email 2014-04-15:

    Subject: [Venmo] Update on Heartbleed/OpenSSL

    Last week, a major security flaw was detected in OpenSSL, the technology that powers encryption across much of the internet. Like many services, we took immediate steps to patch the potential vulnerability in our infrastructure.

    We found no evidence of any malicious behavior, but to be extra cautious, we recommend that you change your Venmo password [...]

    Strong emphasis added.
  • ...

See also Wikipedia: Heartbleed

Please add any other sites or services (e.g. silos) that were vulnerable but which have been patched AND you've already changed your pw on. Provide a citation for the vulnerability (e.g. a blog post by the silo).

Software affected

Please add any software that was vulnerable to Heartbleed but which has been patched AND you've already updated your install thereof (or your service provider has).

Sites claiming no sign of attack

The following sites and services reported no signs of being targeted or otherwise attacked due to this vulnerability, but did explicitly provide notice to users anyway, typically with a caveat of maybe it happened and we didn't know, and thus still recommended change of passwords:

  • Sonic.net - 2014-04-10 email to users:

    Subject: Protect your privacy: Heartbleed bug

    Protect yourself against the Heartbleed bug: change your passwords!

    Early this week a severe vulnerability in OpenSSL known as the Heartbleed bug was announced. Sonic.net is joining many other providers and recommending that you change your passwords for each your online services. [...] Do not forget to change your ISP and email account passwords! [...]

    We do not have any reason to believe that we, or any of our users, were targeted. However, this attack was undetectable. and the cautious response is to assume that sensitive information has been leaked.

    Strong emphasis added. Note that Sonic.net is an ISP so when they're suggesting you "change your ISP ... passwords" they are by implication including themselves.
  • ...

See Also