04-08-2014 04:37 PM
Just logged in today to change my password after the revalations about Heartbleed, and was astounded that you didn't preemptively force a password reset.
For those reading this who don't know, Heartbleed is a vulnerability in, basically, the underpinnings of secure Web traffic (the OpenSSL implementation of the TLS/SSL protocol), which makes it possible for hackers to potentially get your passwords right out of a server's RAM. It is prudent, with the revalation, to change all your passwords soon - especially those protecting sensitive data like card numbers.
04-09-2014 12:59 PM
It is my understanding, per the CNN article below, that if PayPal uses the affected SSL it must be patched before changing your password or your new password would be compromised as well. I am curious if PayPal even uses the openSSL or if they have their own proprietary code written themselves. http://money.cnn.com/2014/04/09/technology/securit
04-11-2014 01:44 PM
According to my bank which stated about heartbleed they listed paypal.com as company infected as well as amazon.com. Here is link to the bank release I received today. https://www.ffb.com/542.htm
04-09-2014 01:16 PM
I just checked LastPass and they show that as of April 9, 2014, PayPal IS vulnerable:
You can check any https url with the tool above to determine if any of your other "Trusted" sites are also vulnerable.
04-09-2014 11:50 PM
What the various HEARTBLEED BUG checkers can do is determine what server software is using for https access to the server.
For example, in the case of https://paypal.com this is the report
Detected server software of Apache-Coyote/1.1
That server is known to use OpenSSL and could have been vulnerable.
The SSL certificate for www.paypal.com valid 2 months ago at Feb 19 00:00:00 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.
It is incumbent on Paypal to report the facts.