Heartbleed

an_security_nut
New Community Member

Hey, Paypal,

 

Just logged in today to change my password after the revalations about Heartbleed, and was astounded that you didn't preemptively force a password reset.

 

For those reading this who don't know, Heartbleed is a vulnerability in, basically, the underpinnings of secure Web traffic (the OpenSSL implementation of the TLS/SSL protocol), which makes it possible for hackers to potentially get your passwords right out of a server's RAM.  It is prudent, with the revalation, to change all your passwords soon - especially those protecting sensitive data like card numbers.

Login to Me Too
13 REPLIES 13

sbradfor69
Contributor
Contributor

Interesting.  According to that last post, Paypal is saying they are secure, yet when check paypal.com with Lastpass' heartbleed detector (https://lastpass.com/heartbleed/) they say paypal.com is NOT safe.

 

 

Login to Me Too

vincentkezel
Contributor
Contributor

The Lastpass website makes a general estimation of whether a site is either: not vulnerable, or *possibly* vulnerable. Lastpass would not be able to realibly ascertain which SSL provider a website uses, and even then, which version was used. Lastpass looks for evidence of the http server, Apache for example, and estimates that there is a possibility because a vulernable version of OpenSSL *could* have been installed with Apache.

 

A real-life anaology would be a website checking a VIN number on a car for sale, and saying it may be totally damaged by flood water, just because the car was in a state where a flood occured in the past.

 

That being said, Lastpass was a great resource for people whom wanted to change their passwords, and needed a place to start... possible vulnerable site first.

 

Today using Lastpass on https://paypal.com creates a not vulernable message. https://lastpass.com/heartbleed/?h=paypal.com

 

As already said in a previous post, PayPal announced that were not affected by heartbleed. https://www.paypal-community.com/t5/PayPal-Forward/OpenSSL-Heartbleed-Bug-PayPal-Account-Holders-are...

 

Login to Me Too

Starspeed
New Community Member

Latest reading on LastPass (as of 8:15pm CT)

 

Site: www.paypal.com

Server software: Apache-Coyote/1.1

Was vulnerable: No

SSL Certificate: Safe (regenerated 2 months ago)

Assessment: This server was not vulnerable, no need to change your password unless you have used it on any other site!

 

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.