cancel
Showing results for 
Search instead for 
Did you mean: 

Heartbleed

New Community Member

Heartbleed

Hey, Paypal,

 

Just logged in today to change my password after the revalations about Heartbleed, and was astounded that you didn't preemptively force a password reset.

 

For those reading this who don't know, Heartbleed is a vulnerability in, basically, the underpinnings of secure Web traffic (the OpenSSL implementation of the TLS/SSL protocol), which makes it possible for hackers to potentially get your passwords right out of a server's RAM.  It is prudent, with the revalation, to change all your passwords soon - especially those protecting sensitive data like card numbers.

13 REPLIES
Volunteer Advisor

Re: Heartbleed

You may want to contact Tech Support about your concerns.

https://ppmts.custhelp.com/app/home

New Community Member

Re: Heartbleed

Who says they use openssl? There are other ssl alternatives. I assume from their silence, heartbleed is not an issue.
New Community Member

Re: Heartbleed

From filippo.com/hearbleed, PayPal IS VULNERABLE. The tool is actively able to exploit the bug.

This must be addressed immediately, gonna email tech support now.

New Community Member

Re: Heartbleed

It is my understanding, per the CNN article below, that if PayPal uses the affected SSL it must be patched before changing your password or your new password would be compromised as well. I am curious if PayPal even uses the openSSL or if they have their own proprietary code written themselves. http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html

New Community Member

Re: Heartbleed

According to my bank which stated about heartbleed they listed paypal.com as company infected as well as amazon.com.  Here is link to the bank release I received today. https://www.ffb.com/542.htm

New Community Member

Re: Heartbleed

I just checked LastPass and they show that as of April 9, 2014, PayPal IS vulnerable:

 

https://lastpass.com/heartbleed/?h=www.paypal.com

 

You can check any https url with the tool above to determine if any of your other "Trusted" sites are also vulnerable.

New Community Member

Re: Heartbleed

so we have to wait before changing the password?

New Community Member

Re: Heartbleed

What the various HEARTBLEED BUG checkers can do is determine what server software is using for https access to the server.

 

For example, in the case of https://paypal.com this is the report

 

Detected server software of Apache-Coyote/1.1
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for www.paypal.com valid 2 months ago at Feb 19 00:00:00 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

 

It is incumbent on Paypal to report the facts.

 

 

New Community Member