You may have heard about the Heartbleed OpenSSL vulnerability in the news. This particular vulnerability affected (and may still affect) approximately 70% of the websites on the Internet, BrandVerity included.
While the vulnerability is serious, at no point did it expose any underlying BrandVerity servers or stored data - an attacker could have exposed 'data in transit' during the vulnerability window and most likely only if they had access to a segment of the network between your computer and BrandVerity (such as on an open wifi connection or its equivalent).
The vulnerability was resolved early Tuesday morning and we had issued new encryption certificates later in the afternoon. We believe the likelihood that you were at all impacted through BrandVerity is very, very low. However, we wanted to provide a complete background for those interested in understanding the impact of the vulnerability and how we have handled it. We hope this may help you handle other sites that could still be vulnerable.
How did this impact my account at BrandVerity?
In all likelihood, this did not affect your account with BrandVerity at all. There’s a slim chance that an attacker could potentially have captured data that traveled to or from our server during a brief 10.5 hour window Monday night. The data that could have been captured is similar to what an attacker on a shared WIFI network could capture when you use a non-SSL site.
You'll also need to login the next time you access BrandVerity. We recommend changing your BrandVerity password to protect against the unlikely event that it was compromised. We would also recommend doing this for all SSL sites you use, including banks, social networking sites and so on and we describe in more detail steps you should take below.
Are other sites vulnerable?
Yes. We did some light testing of popular websites in the affiliate space and found some to be safe and others to still be vulnerable. Other sites, including banks, Facebook, and many others had similar exposure to us. Some, like us, have fixed this, but others remain vulnerable. You can check whether a site is still vulnerable with this Heartbleed testing tool.
What should I do if a site I use is still vulnerable?
It would be wise to avoid using that site until the Heartbleed testing tool (linked above) no longer shows a vulnerability. After that, you should wait until the site has re-keyed their SSL certificate (which we have already done), then change your password. If the site is still using an older certificate whose private key was captured, your new password could be captured as well. We hope that other sites will also send out emails like this to notify their customers that they have resolved the issue and re-keyed their certificates.
Background and Details
What is the Heartbleed vulnerability?
A much more in depth discussion and Q&A can be found at heartbleed.com, but in brief, the vulnerability allows an attacker to retrieve 64Kb of memory from webservers that use OpenSSL. This memory might include, but is not limited to: usernames and passwords, session cookies, and certificate private keys. The memory dump an attacker can retrieve is a soup of data, which at 64Kb will not be all of the server memory. However, with enough effort and luck the aforementioned security elements could be extracted. As an example, security researchers have demonstrated retrieval of usernames and passwords from Yahoo Mail.
The Heartbleed vulnerability has existed in the wild for over 2 years, but had not been broadly discovered and disclosed until yesterday (17:30 UTC April 7th) in an OpenSSL vulnerability announcement. While it is possible that a very small and secretive group of attackers were exploiting the vulnerability before, we think this is unlikely and that for practical purposes the vulnerability began with this announcement.
We use an Amazon EC2 Elastic Load Balancer to provide our SSL encryption, and Amazon Web Services acted quickly to remove the vulnerability. When we tested at 04:00 UTC April 8th, we were no longer vulnerable. Thus, we expect that we were vulnerable for at most 10.5 hours after the vulnerability announcement. By 11:15 UTC April 8th, we had re-keyed our SSL certificate so that if our private key had been previously exposed, it could no longer be used to decrypt traffic.
We have chosen to use SSL for all communications, and it is worth noting that in many ways this vulnerability in an SSL server is very similar to simply using a non-SSL site. The data sent between your browser and the non-SSL webserver is unencrypted and can be intercepted by anyone with access to the network. The most obvious threats would be when you connect on a public network, such as at a coffee shop. See our earlier post for more information on vulnerabilities of non-SSL sites, and why sites should use always-on SSL. In our system we have an Amazon Web Services Elastic Load Balancer handling the SSL encryption rather than the webserver itself.
This is important because it makes our site less vulnerable than most. The exposed data is only on the load balancer, which only sees the traffic going across it, not the webserver's internal data. This is why we make the comparison to using a coffee shop network, where another customer could "sniff" your traffic to the non-secured site.
Similarly, the only data that was vulnerable in our case was the data traveling across the load balancer as well as the data known to the load balancer, such as the encryption keys that the load balancer uses (including the private key). Most other webservers might also have exposed their internal data, but since ours is separated from our load balancer, it could not.
Potentially Exposed Data:
While we do not expect that any data was exposed from BrandVerity's servers, the nature of the vulnerability makes it impossible to know for sure. Here are some important items that could have been exposed:
We would recommend changing all of your passwords for SSL (https) sites on the Internet, BrandVerity included. However, you should wait to do this until each website has re-keyed their SSL certificates. BrandVerity has already done this and it is now safe to change your password.
We believe it is very unlikely your password was exposed, but changing it ensures that if it was, no unauthorized access will be possible. This is also a good reminder to use different passwords on different websites - if your password was compromised on one site, an attacker could use it to gain access to another site.
If an attacker had captured session cookies, they could have logged in using the account associated with those cookies. This would be nearly an identical attack to the session-hijack vulnerabilities we identified in major affiliate networks and alerted the industry to several years ago.
We have expired our sessions so that any sessions that might have been captured during the vulnerability period cannot be reused. You will be prompted to log in again.
Certificate Private Key:
If an attacker used this vulnerability to capture a certificate private key, they could then decrypt captured traffic that had been encrypted with that key, or even impersonate BrandVerity on a network they controlled. This requires a Man-in-the-middle Attack in which the attacker needs to have access to your network. Capturing traffic requires access to the network, either because it is a public network, or because the attacker is inside your home network or corporate network.
We think this type of attack is unlikely in our case, because most of our customers are on private networks. Attackers on public networks likely wouldn't see enough people accessing BrandVerity to make an attack interesting (as opposed to Facebook, for example, where there would be many users on a given public network).
A vulnerability as significant as Heartbleed doesn’t come around very often, but when it does it demands immediate attention. While we at BrandVerity feel it is highly unlikely that you were at all impacted, we felt it was critical to share our process and experience with you as soon as possible. We expect that the effects of this vulnerability will reverberate through the online community in the days and weeks to come, and we hope that this message has helped you understand the impact of the issue and actions you can take to protect your data.