Blog

If you’ve been about the Internet at all this week, you’ve heard about the “Heartbleed” bug in OpenSSL. This bug allows a remote attacker to read arbitrary memory out of a server, without any authentication or privileged access needed. It’s a very alarming exploit, one that has everyone involved in security on the Internet scrambling to see if they’re affected, and to fix any issues that have arisen from it.

I can happily report that Vindicia® CashBox® service was not affected by this issue. The SOAP-based API interface was not affected; nor was the web portal; nor were any of our QA or sandbox environments. We run a secondary service in Amazon’s cloud environment. The Amazon machines exposed to the vulnerability were patched by Amazon the same day the exploit was announced. The two clients impacted were notified and certificates have been rotated.

One issue clients may be concerned about is that of passwords. This vulnerability has the potential to make passwords visible to remote attackers. Again, since CashBox was never vulnerable, this was never a concern. Vindicia passwords are cryptographically random and issued by us, so there’s no concern that a user from a client may have reused a password that was compromised elsewhere here. We recommend that everyone use the password we issue them only on Vindicia; if you follow that recommendation, you have nothing to be worried about. However, if you shared your Vindicia password with another site, in light of the severity of this vulnerability, we recommend you reach out to our Client Services team to arrange a password reset.

Our clients often operate their own web sites and secure environments. These clients will need to evaluate their systems to determine whether they have updates they need to perform on their end. Depending on server architecture, one thing clients should consider is whether the SOAP password used programmatically to communicate with Vindicia could’ve been hijacked from within their own servers due to their own vulnerability. If that’s a possibility, after the server has been updated, clients should coordinate with Client Services to change those passwords as well.

Bottom line: Vindicia CashBox, Vindicia Select™ and ChargeGuard products were unaffected, and we see no security impact to our clients from our side from the Heartbleed vulnerability.