Reply to topic
an_security_nut New Community Member
New Community Member
Posts: 1
Kudos: 2
Accepted Solutions: 0

Heartbleed

Hey, Paypal,

 

Just logged in today to change my password after the revalations about Heartbleed, and was astounded that you didn't preemptively force a password reset.

 

For those reading this who don't know, Heartbleed is a vulnerability in, basically, the underpinnings of secure Web traffic (the OpenSSL implementation of the TLS/SSL protocol), which makes it possible for hackers to potentially get your passwords right out of a server's RAM.  It is prudent, with the revalation, to change all your passwords soon - especially those protecting sensitive data like card numbers.

Reply to topic
snowshoe Volunteer Advisor
Volunteer Advisor
Posts: 19409
Kudos: 1253
Accepted Solutions: 614

Re: Heartbleed

You may want to contact Tech Support about your concerns.

https://ppmts.custhelp.com/app/home

Reply
cj99 New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

Who says they use openssl? There are other ssl alternatives. I assume from their silence, heartbleed is not an issue.
Reply
0 Kudos
Zosoled New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

From filippo.com/hearbleed, PayPal IS VULNERABLE. The tool is actively able to exploit the bug.

This must be addressed immediately, gonna email tech support now.

Reply
0 Kudos
SelbyBill New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

It is my understanding, per the CNN article below, that if PayPal uses the affected SSL it must be patched before changing your password or your new password would be compromised as well. I am curious if PayPal even uses the openSSL or if they have their own proprietary code written themselves. http://money.cnn.com/2014/04/09/technology/security/heartbleed-bug/index.html

Reply
0 Kudos
westernstar New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

According to my bank which stated about heartbleed they listed paypal.com as company infected as well as amazon.com.  Here is link to the bank release I received today. https://www.ffb.com/542.htm

Reply
0 Kudos
designprophets New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

I just checked LastPass and they show that as of April 9, 2014, PayPal IS vulnerable:

 

https://lastpass.com/heartbleed/?h=www.paypal.com

 

You can check any https url with the tool above to determine if any of your other "Trusted" sites are also vulnerable.

Reply
0 Kudos
matteperez82 New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

so we have to wait before changing the password?

Reply
0 Kudos
Mexlex New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0

Re: Heartbleed

What the various HEARTBLEED BUG checkers can do is determine what server software is using for https access to the server.

 

For example, in the case of https://paypal.com this is the report

 

Detected server software of Apache-Coyote/1.1
That server is known to use OpenSSL and could have been vulnerable.

The SSL certificate for www.paypal.com valid 2 months ago at Feb 19 00:00:00 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.

 

It is incumbent on Paypal to report the facts.

 

 

Reply
0 Kudos
Palatin New Community Member
New Community Member
Posts: 1
Kudos: 0
Accepted Solutions: 0