CVE-2014-0160 is putting bitcoin sites at risk

[Dusty]

At the time of writing bitstamp (!!!) , btcchina, bitfinex and probably others are still vulnerable.

Probably bitstamp and btcchina are at fault because of incapsula.

http://heartbleed.com/

http://filippo.io/Heartbleed/

[1714845533]

1714845533

[1714845533]

1714845533

[Rannasha]

Bitstamp currently disabled logins. They posted this on their website:

Dear Bitstamp clients,

After reported vulnerabilities in OpenSSL, we applied necessary patches to our system. Incapsula, our DDOS mitigation provider is still working patching their system.

In order to provide required security, both system need to be patched. We are in constant contact with Incapsula and are working with them to complete necessary procedures. Until then Bitstamp has decided to temporally deactivate:

-account registration,
-account login
-and all virtual currency withdrawal functions

We will keep you updated on the progress.

Thank you for understanding.

Best regards
Bitstamp team

BitFinex sent an email to its users earlier today:

Hello Rannasha,

As you may be aware, yesterday a vulnerability affecting latest versions of OpenSSL used by Bitfinex was discovered.

While this vulnerability has now been fixed, we strongly encourage you to change your password as soon as possible and enable/re-enable OTP authentication in your Bitfinex account.

Withdrawals will be disabled for 10 hours to let you the time to change your information.

We will update you about the situation in the coming hours.

Regards,
The Bitfinex Team
https://www.bitfinex.com/

[nibor]

That has got to be bug of the century... if not ever.

Implies that for 2 years since code was released anyone running a server using openssl 1.0.1 (upto 1.0.1f inclusive) an attacker could silently (i.e. no logging or trail) download the ssl private key off the server. And then if they could intercept any ssl traffic between server and client they could then decrypt that data (again silently leaving no trace). And could have been doing that for 2 years.

Or have I got the wrong end of the stick here?

This implies that every users need to change every password on every site that was using 1.0.1?

Refs:
https://heartbleed.com/
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit

[BitcoinHoarder]

That has got to be bug of the century... if not ever.

Implies that for 2 years since code was released anyone running a server using openssl 1.0.1 (upto 1.0.1f inclusive) an attacker could silently (i.e. no logging or trail) download the ssl private key off the server. And then if they could intercept any ssl traffic between server and client they could then decrypt that data (again silently leaving no trace). And could have been doing that for 2 years.

Or have I got the wrong end of the stick here?

This implies that every users need to change every password on every site that was using 1.0.1?

Refs:
https://heartbleed.com/
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3;hp=0d7717fc9c83dafab8153cbd5e2180e6e04cc802
http://security.stackexchange.com/questions/55076/what-should-a-website-operator-do-about-the-heartbleed-openssl-exploit

You are correct, and there are many other ways to exploit the server memory.  For example, it has been shown (and I tested it on my own servers) that you can dump the HTTP headers (no trace left!) and extract session IDs.  You can then trivially use that session id to masquerade as a logged in user.  It's REALLY easy.