James Barrese, CTO, PayPal


 

There has been a lot of news in the past 24 hours about a security vulnerability in a version of OpenSSL, commonly known as the “Heartbleed Bug”. OpenSSL is a popular cryptographic software library used to help keep Internet communications private, so understandably you may have questions about how this might impact your private information.
 
We take the responsibility of keeping your personal information and financial details protected very seriously at PayPal. It is our top concern.
 
We would like to assure you that with regards to the Heartbleed bug:
 
1) Your PayPal account is secure
2) Your PayPal account details were not exposed in the past and remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
 
While we always advise our customers to be cautious and aware of the security of their personal and financial information, in this case we want to reassure you there is no need to be unduly concerned.  When you login to PayPal using your user name and password these details were not exposed to the OpenSSL vulnerability.
 
PayPal offers a full range of services beyond the core capabilities for which we are well known. Following a comprehensive review of all our services, our security teams did identify a handful of businesses that we recommend upgrade their Payflow Gateway integrations to eliminate the risk of vulnerability. The Payflow Gateway is a payment gateway for online merchants that links your website to your processing network or merchant account.
 
We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations.
 
Again, we would like to reassure all our consumers that your PayPal account details remain secure. PayPal does not share account details with businesses when our customers make a transaction. It is a fundamental way that PayPal helps to keep our customers safer and more secure.
 
If you have any questions, please feel free to reach out to our customer support team.

Comments
by fool_onthe_hill New Community Member on ‎04-09-2014 01:26 PM

Good job, Paypal.  It's good to hear your security is up to the job.  Great service and reassuring to read your timely statement.

by rdifrancesco on ‎04-09-2014 06:01 PM

Can you elaborate on how you reached the conclusion that your systems were not affected by this bug?  Is it because your systems are not running a version of openssl affected by the bug?  Or are you systems now patched with the latest version of openssl?  If the later, then we'll need some additional information to justify the four bullet points listed above because the nature of this vulnerability makes it impossible to know if any data was exposed at any point.

 

Thank you,

Ryan

by Pete Larkins on ‎04-09-2014 08:23 PM

Hi James,

 

It's great to have your statement for re-assurance, but can you confirm it applies to Paypal businesses worldwide ? The checker over at Lastpass identifies paypal.com.au as possibly being vulnerable to the bug, so are they on the same infrastructure as paypal North America, or on a different infrastructure and therefore potential vulnerable ?


Many thanks,

Peter

by Freddy J on ‎04-10-2014 03:13 AM

You are incorrect in the assumption that there is no need to change password. Your paypal password can be compromised via third parties because of the wide use of openssl in both server and client software.

by Pueblo Strono on ‎04-10-2014 04:30 AM

You just talk about credentials. What about the private key?

by Heather4SSL on ‎04-10-2014 06:43 AM

Nice post but doesn't tell me if you use OpenSSL and if you have remediated. Will not use PayPal until there is a clear statement on your use (or not) of OpenSSL

by herb johnson on ‎04-10-2014 08:07 AM

According to lastpass.com/heartbleed/ which has a "checker" for SSL security,

paypal.com is vulnerable, has a SSL security certificate over a year old. It says

you use Apache/Coyote 1.1. Lastpass.com seems to be a reputable site for

news on the Heartbleed security problem. Why does paypal.com fail their test?

 

herb johnson

 

by Stig Schjervheim on ‎04-10-2014 08:18 AM

About HeartBleed

 

You assure that my credentials is secure, but no place in the text do you state that the affected versions of OpenSSL has not been in use by PayPal since the first affected release. 

Can you please make such a statement about whether you have had these versions in use on any of your servers or not?

 

Best Regards

by Mikael Magnuson on ‎04-11-2014 04:33 AM

Hi,

 

Thanks for this information.

First thing I did was google Paypal and Hearbleed and got this conforting information.

 

There should be more like you informing worring customers.

 

Great job mr CTO, James Barrese

 

Have a nice weekend

 

Best regards

Mikael

by Bruce Epper on ‎04-11-2014 05:15 AM

James here must be a politician since he doesn't really answer the primary question everyone ia asking.  Is/was the site using a vulnerable version of OpenSSL?

 

"We would like to assure you that with regards to the Heartbleed bug:
 
1) Your PayPal account is secure
2) Your PayPal account details were not exposed in the past and remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password"

 

If you really want to list those four points, there should really be five and the ones listed would be numbered 2 through 5.  The very first part of the respons should read:

 

1) We were not using a vulnerable version of OpenSSL at PayPal.

 

or

 

1) We were using a vulnerable version of OpenSSL at PayPal and users should change their password to ensure their account security.

 

Anything less is a half-assed attempt at avoiding answering the question.  Just like a politician.  And we know we can't trust them.  So why doesn't James want us to trust him?

by jdale on ‎04-11-2014 07:39 AM

This statement seems devoid of important details.

 

Is the information safe because OpenSSL was not used? Because an older version of OpenSSL (pre-bug) was used? Because the heartbeat functionality was not enabled? Without that information, the statement basically says, "trust us," and frankly I don't know that I can trust such an empty claim.

by ParallaxMindMembersMonthlydotcom on ‎04-11-2014 09:35 AM

Excellent, excellent, excellent! As long as I've been a PayPal customer, your company has always been on top of things–especially security issues. You guys are top notch! Thank you for putting my concerns to rest with this post.

by dggardner on ‎04-11-2014 03:06 PM

Why is there no link this article on your paypal.com homepage? This is important news and such a link would have saved me 2 days trying to contact your "support" team. I use the term support loosely, since I have yet to receive an answer. I found this page thru Google, not from any proactive notification your useless staff did.

 

-dgg

 

by Cynthia Harper on ‎04-11-2014 04:09 PM

Thank you!!!!!

by E6gosh4G on ‎04-11-2014 10:04 PM

I am kind of suprised no one has commented on this yet...so I'll be the one to ask.

 

You are saying that our information is secure, but you are not giving a reason for me to believe you. Just saying it is secure just adds to my skepticism. I would like to know the details by which you are assuring that the PyPal server is patched. I would like something more concrete to hold onto than just a word of assurance, like a reason for how PayPal avoided this bug. I would really appreciate it.

by Eric Bergerson on ‎04-12-2014 09:12 AM

Paypal's response to the Heartbleed Bug is the only one that sounds duplicitous.  When your statement says, "Your PayPal account details were not exposed in the past and remain secure, " you avoid directly answering the question whether my account is now currently exposed. When you say I need not be 'unduly' concerned, I want to know how concerned, then, do I need to be.  When you say some merchants have been advised of the problem, I need to know which merchants.  As an attorney, myself, I have to say you need to find other attorneys to better and more clearly craft your response.

by Moty Goldstein on ‎04-12-2014 04:11 PM

Your statement does not specify if Paypal was using OpenSSL, and whether it was a vulnerable version or not.

For us to feel safe with you, you need to be more transparent (as in truthful disclosure) !

by HENAULT on ‎04-13-2014 02:59 AM

Good morning,

Is-it possible to have a translation in Frenche of your article concerning "OPEN SSL HEARTHBLEED BUG" .

I am customer of your payement system.

Sorry for my bad english.*

Best regards

Lucien HENAULT - France

by Dean Mersky on ‎04-13-2014 09:33 AM

Pretty weak, Pay Pal. I had to search online to find an answer, after sending an internal email to Pay Pal. You should have sent out emails to let us all know current status instead of the advertisements you so easily disburse. Would have been a nice touch, don't you think?

by Pages on ‎04-14-2014 10:41 PM

Hi,

Does that mean that you are not using open SSL on your servers ?

Otherwise, how can this be possible that Paypal account details were not exposed ?

Kindly be more explicit to be credible.

Regards,

Jacques

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.