Heartbleed SSL Vulnerability

Heartbleed SSL Vulnerability

We wanted to provide a formal update regarding the recently discovered Heartbleed SSL vulnerability. The issue is a bug in the widely-used OpenSSL library that enables an attacker to gain access to private keys that allow the attacker to steal data and eavesdrop on communication that should have remained private. It is a significant bug with widespread ramifications across the Internet.

 

The Good News, however, is:

 

None of Social Strata's services are affected by this vulnerability: Hoop.la, QuestionShark, UBB Forum, Eve Community, FeePod, or Hoo.do.

 

Thus, your data is safe and was never at risk of compromise. If Social Strata's services had been affected, it would have only applied to sites that are using SSL (HTTPS) to encrypt all communication. If your site uses HTTP, then traffic is generally not encrypted and thus this vulnerability would not have been applicable.

 

If you have any questions about this, please do let us know!

Original Post

Activity Stream

Hi Brian,

Thanks for this update. I have a question related to Facebook, GMail and Yahoo - for folks who used those services to login to our Hoopla community, are they in any way endangering our community if they have not changed their passwords on those platforms? (For example, on FB, you can choose to always use https for your account; and you can also integrate your account with Hoopla; and FB was at risk due to Heartbleed.)

 

I would like to post  a reminder to our members to change those passwords, but also confirm to everyone that our community was not at risk due to Heartbleed.

Thanks!

Hi Melanie,

 

I don't think they could be "endangering" your community unless they are admins on your site and those sites were exposed to the heartbleed vulnerability. Of course, if their Facebook/Google/Yahoo accounts were compromised, then they would be vulnerable on any third party system that they have linked to their social account (such as Hoop.la).

 

Hoop.la has no inherent vulnerability by using those third party social login platforms, so it really comes down to whether or not a user's account was compromised on a vulnerable system.

 

For the highest level of security, you might suggest users set up two-factor authentication with their third party social networks. Then, even if their password is compromised, a malicious user still needs to have a device (such as a mobile phone) in their possession in order to login as the user.

 

Hope that helps,

 

Brian

Add Reply

×
×
×
×