Heartbleed

an_security_nut
New Community Member

Hey, Paypal,

 

Just logged in today to change my password after the revalations about Heartbleed, and was astounded that you didn't preemptively force a password reset.

 

For those reading this who don't know, Heartbleed is a vulnerability in, basically, the underpinnings of secure Web traffic (the OpenSSL implementation of the TLS/SSL protocol), which makes it possible for hackers to potentially get your passwords right out of a server's RAM.  It is prudent, with the revalation, to change all your passwords soon - especially those protecting sensitive data like card numbers.

Login to Me Too
13 REPLIES 13

snowshoe
Frequent Advisor
Frequent Advisor

You may want to contact Tech Support about your concerns.

https://ppmts.custhelp.com/app/home

Login to Me Too

cj99
Contributor
Contributor
Who says they use openssl? There are other ssl alternatives. I assume from their silence, heartbleed is not an issue.
Login to Me Too

Zosoled
New Community Member

From filippo.com/hearbleed, PayPal IS VULNERABLE. The tool is actively able to exploit the bug.

This must be addressed immediately, gonna email tech support now.

Login to Me Too

SelbyBill
New Community Member

It is my understanding, per the CNN article below, that if PayPal uses the affected SSL it must be patched before changing your password or your new password would be compromised as well. I am curious if PayPal even uses the openSSL or if they have their own proprietary code written themselves. http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html

Login to Me Too

westernstar
New Community Member

According to my bank which stated about heartbleed they listed paypal.com as company infected as well as amazon.com.  Here is link to the bank release I received today. https://www.ffb.com/542.htm

Login to Me Too

designprophets
New Community Member

I just checked LastPass and they show that as of April 9, 2014, PayPal IS vulnerable:

 

https://lastpass.com/heartbleed/?h=www.paypal.com

 

You can check any https url with the tool above to determine if any of your other "Trusted" sites are also vulnerable.

Login to Me Too

matteperez82
New Community Member

so we have to wait before changing the password?

Login to Me Too

Mexlex
Contributor
Contributor

What the various HEARTBLEED BUG checkers can do is determine what server software is using for https access to the server.

 

For example, in the case of https://paypal.com this is the report

 

Detected server software of Apache-Coyote/1.1
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for www.paypal.com valid 2 months ago at Feb 19 00:00:00 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

 

It is incumbent on Paypal to report the facts.

 

 

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.