Author Topic: SSL Heartbleed Vulnerability and Third-party sites  (Read 7085 times)

AnilG

  • Hero Member
  • *****
  • Posts: 1081
    • View Profile
    • PeerCube
SSL Heartbleed Vulnerability and Third-party sites
« on: April 09, 2014, 04:24:55 AM »
Just in case if forum members who are using third-party sites for lending are not aware of the recent SSL Heartbleed bug. Also, if any third-party sites are not using SSL/HTTPS, you should be asking them why not, specially the ones who are doing automated investing on your behalf.

It is a serious bug and you should check the sites that you are using are patched up. More information on the bug at http://heartbleed.com. To check whether any site is vulnerable, use http://filippo.io/Heartbleed/.

It appears Nickel Steamroller and PeerCube are no longer vulnerable. Interest Radar appears to be vulnerable.

http://filippo.io/Heartbleed/#nickelsteamroller.com - All good, nickelsteamroller.com seems not affected!
http://filippo.io/Heartbleed/#peercube.com - All good, peercube.com seems not affected!

http://filippo.io/Heartbleed/#interestradar.com - interestradar.com IS VULNERABLE.
Here is some data we pulled from the server memory:
(we put YELLOW SUBMARINE there, and it should not have come back)

Code: [Select]
([]uint8) {
 00000000  02 00 79 68 65 61 72 74  62 6c 65 65 64 2e 66 69  |..yheartbleed.fi|
 00000010  6c 69 70 70 6f 2e 69 6f  59 45 4c 4c 4f 57 20 53  |lippo.ioYELLOW S|
 00000020  55 42 4d 41 52 49 4e 45  2f cc 95 af 1c 11 0e d9  |UBMARINE/.......|
 00000030  7f b7 85 12 58 82 9d db  62 64 42 63 84 e9 5c a2  |....X...bdBc..\.|
 00000040  8d fd fb 50 e9 20 1b 2c  cd 21 40 70 7a a1 83 72  |...P. .,.!@pz..r|
 00000050  3c 76 03 e3 85 a8 fe 46  29 d9 63 2f ae 43 16 b9  |<v.....F).c/.C..|
 00000060  f0 8e 44 4f 76 36 86 28  3a 25 ac 7c 02 59 17 2b  |..DOv6.(:%.|.Y.+|
 00000070  05 d3 d1 7e ac 0a a4 cb  e5 dc 0b 7b df 78 29 ca  |...~.......{.x).|
 00000080  10 e0 88 b2 0e 52 82 e7  37 8a 45 3c              |.....R..7.E<|
}
---
Anil Gupta
PeerCube Thoughts blog https://www.peercube.com/blog
PeerCube https://www.peercube.com

rawraw

  • Hero Member
  • *****
  • Posts: 2756
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #1 on: April 09, 2014, 06:56:10 PM »
Thanks Anil.  This is a huge issue.  I was at work trying to explain to computer illiterate people why this was such a big deal.

lascott

  • Hero Member
  • *****
  • Posts: 1396
    • View Profile
    • Appreciate my post and want to try LendingRobot? URL below
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #2 on: April 09, 2014, 09:43:56 PM »
In case people use LassPass

Title: LastPass Now Tells You Which Heartbleed-Affected Passwords to Change
http://lifehacker.com/lastpass-now-tells-you-which-heartbleed-affected-passwo-1561522244
Tools I use: (main) BlueVestment: https://www.bluevestment.com/app/pricing + https://www.interestradar.com/ , (others) Lending Robot referral link: https://www.lendingrobot.com/ref/scott473/  & Peercube referral code: DFVA9Y

lascott

  • Hero Member
  • *****
  • Posts: 1396
    • View Profile
    • Appreciate my post and want to try LendingRobot? URL below
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #3 on: April 09, 2014, 09:46:38 PM »
http://filippo.io/Heartbleed/#interestradar.com - interestradar.com IS VULNERABLE.
This link now says: All good, interestradar.com seems fixed or unaffected!
Tools I use: (main) BlueVestment: https://www.bluevestment.com/app/pricing + https://www.interestradar.com/ , (others) Lending Robot referral link: https://www.lendingrobot.com/ref/scott473/  & Peercube referral code: DFVA9Y

rawraw

  • Hero Member
  • *****
  • Posts: 2756
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #4 on: April 09, 2014, 09:55:54 PM »
In case people use LassPass

Title: LastPass Now Tells You Which Heartbleed-Affected Passwords to Change
http://lifehacker.com/lastpass-now-tells-you-which-heartbleed-affected-passwo-1561522244
Didn't see this, thanks!

Rob L

  • Hero Member
  • *****
  • Posts: 2014
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #5 on: April 10, 2014, 09:31:27 AM »
Rev, correct me if I'm wrong, but now that IR has been fixed, the recommended thing to do is to change your IR password and presumably your LC password (if it was provided to IR).
My reading is that any information sent to a server with the Heartbleed bug (past 2 years) has potentially been compromised and it is impossible to know if that happened.

I checked Lending Club and found it either not affected or was fixed. If it was never affected I don't need to do anything, but if fixed then I need to change my password and API credentials.
Has LC issued a statement on this? There's nothing on their blog.

What about Lending Robot and BlueVestment. Any statements from them?

The whole issue is a strong argument for periodically changing one's passwords. I'm lazy and guilty of not doing so. There's just sooo many.

Emmanuel

  • Full Member
  • ***
  • Posts: 157
    • View Profile
    • LendingRobot
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #6 on: April 10, 2014, 11:17:20 AM »
LendingRobot has been patched a few hours after the bug was discovered.

Rob L

  • Hero Member
  • *****
  • Posts: 2014
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #7 on: April 10, 2014, 12:40:18 PM »
LendingRobot has been patched a few hours after the bug was discovered.

Discovered by whom?

Clearly it would be an extreme stretch to imagine LendingRobot was targeted by adversaries who may have discovered the bug before it became public.
It would make no sense. So many more valuable sites were vulnerable. Nevertheless the bug was there and an exploit would have been undetectable.
Wouldn't it be prudent for you to recommend your customers change their LendingRobot password, LC password and LC API authentication string? Couldn't hurt.

giladg

  • Newbie
  • *
  • Posts: 16
    • View Profile
    • Email
LendingRobot and Heartbleed vulnerability
« Reply #8 on: April 10, 2014, 03:24:14 PM »
LendingRobot has been patched a few hours after the bug was discovered.

Discovered by whom?

Clearly it would be an extreme stretch to imagine LendingRobot was targeted by adversaries who may have discovered the bug before it became public.
It would make no sense. So many more valuable sites were vulnerable. Nevertheless the bug was there and an exploit would have been undetectable.
Wouldn't it be prudent for you to recommend your customers change their LendingRobot password, LC password and LC API authentication string? Couldn't hurt.

Let me clarify:

1. LendingRobot's infrastructure uses OpenSSL; as such, like most of internet, it has been vulnerable for the past year. We saw no evidence of exploit or tampering, but, like the rest of the internet, we have no way of knowing for sure.

2. LendingRobot runs on a PaaS (Platform as a Service) service, and some platform features such as SSL endpoints are managed by the service, not directly by us. The provider we use was quick in patching all SSL endpoints, which was done yesterday morning - hours after the vulnerability was reported, so as of Tuesday (4/8/14) morning LendingRobot is patched and not vulnerable to Heartbleed attacks.

3. As an extra precaution, after the SSL endpoint was patched, we reissued and replaced our SSL certificate. This ensures that even if an exploit took place and an attacker gained access to our private key, they can't exploit the site or eavesdrop to user traffic.

4. If you try using http://filippo.io/Heartbleed/#lendingrobot.com to test for the vulnerability, you'd get a "something went wrong" message. Rest assured - the site is patched, and not vulnerable. This is simply the way the patch works - it responds to attack attempts by timing them out (details here http://filippo.io/Heartbleed/faq.html#wentwrong).

I hope this answers any questions you might have; if you have any more questions or concerns, send us an email to support@lendingrobot.com.

Gilad.
« Last Edit: April 10, 2014, 05:55:57 PM by giladg »

Rob L

  • Hero Member
  • *****
  • Posts: 2014
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #9 on: April 10, 2014, 06:16:25 PM »
Hey, I'm not a LendingRobot customer so I don't have a dog in this fight. Please, do whatever you want (including ignore me).
LR and its PaaS provider responded promptly to the news and plugged the hole. I salute you.

Yes, your response did address the problem I described (potential though extremely unlikely theft of customer passwords and credentials over the past year).
Your point one clearly says your site has been vulnerable over the past year and you do not know for sure if tampering occurred.

BTW, I would recommend IR and Per Cube users change their login and LC passwords (IR does not use the API as I understand it so it doesn't hold those credentials).
Same goes for NSR and BlueVestment users if those services were vulnerable (I do not know). If they weren't they were just lucky.
If there are any other 3rd party services that held LC and/or Prosper passwords over the past year I'm sorry I didn't include them; they should be.
I'm not trying to pick on LR here; it bears no responsibility for the error. It and millions of other servers are using OpenSSL.
If I operated a site it would have been vulnerable too.

 

AnilG

  • Hero Member
  • *****
  • Posts: 1081
    • View Profile
    • PeerCube
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #10 on: April 10, 2014, 07:10:57 PM »
Rob,

PeerCube doesn't store Lending Club and Prosper credentials for users. We already sent out an email with security alert. We also display security alert on User Dashboard with recommendation to change password for access to PeerCube.

BTW, I would recommend IR and Per Cube users change their login and LC passwords (IR does not use the API as I understand it so it doesn't hold those credentials).
---
Anil Gupta
PeerCube Thoughts blog https://www.peercube.com/blog
PeerCube https://www.peercube.com

Rob L

  • Hero Member
  • *****
  • Posts: 2014
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #11 on: April 10, 2014, 08:07:31 PM »
Rob,
PeerCube doesn't store Lending Club and Prosper credentials for users. We already sent out an email with security alert. We also display security alert on User Dashboard with recommendation to change password for access to PeerCube.

You started this thread (which was the first I'd heard of Heartbleed) so thanks for the heads up. It seems you've done everything you can.

rawraw

  • Hero Member
  • *****
  • Posts: 2756
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #12 on: April 10, 2014, 10:08:17 PM »
Rob,
PeerCube doesn't store Lending Club and Prosper credentials for users. We already sent out an email with security alert. We also display security alert on User Dashboard with recommendation to change password for access to PeerCube.

You started this thread (which was the first I'd heard of Heartbleed) so thanks for the heads up. It seems you've done everything you can.
That's a shame.  Heartbleed should be on the news as much as the missing plane IMO

Rob L

  • Hero Member
  • *****
  • Posts: 2014
    • View Profile
Re: SSL Heartbleed Vulnerability and Third-party sites
« Reply #13 on: April 10, 2014, 11:15:39 PM »
Got an email from Credit Karma recommending I change my password and mentioning Heartbleed, so I would have heard about it by now.
Probably will get more of same over the next few days. Fortunately none of my banking or brokerage affiliations were ever vulnerable.
I never heard if LC itself was exposed though. It may be all over the news but I wouldn't know. Don't pay much attention to it.