The web has been abuzz since the disclosure of CVE-2014-0160 , also known as the “heartbleed” OpenSSL bug. Given its potential impact, we wanted to make sure you all heard and understood its implications to you.
First, what is it?
For those less technical, it is a vulnerability that could expose what you thought was secure information from your servers. For those a bit more technical, “Heartbleed” is a security vulnerability that exploits a programming bug in the OpenSSL library that makes the remote process (web server, for instance) leak a random block of memory. Through repeating the malformed call, attackers could search for data patterns of sensitive information (passwords, credit cards, even private keys for the SSL certificates). Since this bug has been present in all the OpenSSL releases between March 14th 2012 and April 7th 2014 (versions 1.0.1 to 1.0.1g), a potential attacker that was aware of the bug could have extracted sensitive data during all this time from affected servers.
So what did we do about it for our customers?
As soon as the security bulletin broke, we have re-checked all our external-facing SSL-secured services against this vulnerability. None of the services related to the payment processing were found to be susceptible to this bug, as none of them were setup in a way to be ever vulnerable. This means that neither the private keys nor other sensitive information were leaked at any point of time due to this vulnerability, even to potential attackers that had knowledge of this exploit before its disclosure on April 7th 2014. Rest assured that our security team continues to work hard to keep your data secure.
So what should you do about this?
Changing your login passwords for Avangate Control Panels or API communication is not necessary due to the Heartbleed bug, however our recommendation is to change your passwords regularly to minimize the attack window for similar issues in the future.
We recommend to all our customers, many of whom have web services exposed to the Internet, to review their commerce, as well as other server setups to ensure that all sensitive materials potentially compromised are renewed. If you have SSL-secured services of your own, you should investigate if you had this bug at any point and consider updating keys and passwords.
For more information: http://heartbleed.com/.
The Avangate Operations Team