test content
Logo
What is the Arc Client?
Install Arc
Heartbleed Bug and PWE Accounts
dauntlessf05
Member Posts: 268 Media Corps
I was wondering if this new bug "Hearbleed Bug" had any effect on the accounts here. IIRC, openSSL is used, which is what this bug effects.
Link here -> http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
Tl;DR of this link "The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet."
You can check if sites using OpenSSL have been pactched -> https://lastpass.com/heartbleed/
I did a search for www.perfectworld.com and got the following result:
Unable to get HTTP headers for www.perfectworld.com
Site: www.perfectworld.com
Server software: Not reported
Vulnerable: Possibly (might use OpenSSL)
SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment: Wait for the site to update before changing your password
Link here -> http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html
Tl;DR of this link "The Heartbleed bug is a vulnerability in the OpenSSL cryptographic library that allows stealing of information normally protected by the SSL/TLS encryption used to secure the Internet."
You can check if sites using OpenSSL have been pactched -> https://lastpass.com/heartbleed/
I did a search for www.perfectworld.com and got the following result:
Unable to get HTTP headers for www.perfectworld.com
Site: www.perfectworld.com
Server software: Not reported
Vulnerable: Possibly (might use OpenSSL)
SSL Certificate: Possibly Unsafe (created 9 months ago at Jul 17 04:15:40 2013 GMT)
Assessment: Wait for the site to update before changing your password
Post edited by dauntlessf05 on
0
Comments
ROFL, nice.
Anyway, in all seriousness, can a dev chime in and say if Perfect World is affected?
http://www.digitaltrends.com/gaming/heartbleed-bug-gaming-services-affected/
They might use the same OpenSSL version as the rest of the servers (I hope). But dev confirmation would be nice before I change my password.
STO Screenshot Archive
As I can't really provide full assurances, as I'm not actually at PWE office so I can't go smack a web guy..was Wednesday though great office got SWEET stuff there.. anywho, my best guess is the data is fine and dandy as all user information is encrypted not just with SSL but other encrypted measures at the database.
That said, I'm not a definitive authority so take my knowledge as you will
Former Community Moderator, Former SSR DJ, Now Full time father to two kids, Husband, Retail Worker.
Tiktok: @Askray Facebook: Askray113
Since I've seen no official response from anybody important, I've changed my account info as a precaution.
The problem with Heartbleed is that it's an ongoing vulnerability. Changing your account info doesn't help - it's just putting the horse back in a barn with an open door.
If you're concerned about a service potentially being vulnerable, the statements which would be helpful from the service in question is either 1) "We were not running a vulnerable version of the SSL software" or 2) "We were running a vulnerable version and have patched it".
Until either event happens, changing your account info doesn't actually help, since your new info can just be re-compromised as long as a software version with the Heartbleed vulnerability is still running. Unless you're dealing with something like Gmail where you can turn on two-factor authentication or something like that, which doesn't matter if the data leaks.
Steam was already confirmed vulnerable above--but that does not directly impact Star Trek Online, since that is a separate login. Steam simply automates the login, and if you're like me, you don't use Steam, so you really don't care.
The login for the forums uses this link:
https://account.perfectworld.com/login
I tested this and it is NOT affected by Heartbleed--or they've fixed it if it was. The login for Star Trek Online is probably different, and unfortunately I'm not at home right now so I cannot find out what the actual link is to test for, but this should be enough information for someone who knows what they're doing to figure it out and find out.
The Gateway (gateway.startrekonline.com) uses https://auth.startrekonline.com/. I tested this, but it uses an implementation that the tool doesn't yet work with, so I can't confirm whether or not the gateway is affected.
Expanding on mindshadow999 above--it's pointless to change anything on your accounts until you know that:
1. the site WAS affected
2. the patch has been applied.
Until the patch on an affected site is applied--your information is just as vulnerable as before. Changing the information before the patch is applied only gives you a false sense of security. The ONLY solution, if you are that concerned, is to avoid the site altogether until the patch is applied.
Perfect World and Star Trek online might not be affected, but they would be very prudent to make an announcement one way or the other to put us at ease. A sticky in the General announcements would be a good idea.
http://arstechnica.com/security/2014/04/private-crypto-keys-are-accessible-to-heartbleed-hackers-new-data-shows/
Sites that are vulnerable to Heartbleed can have their crypto keys stolen. The only way to be completely safe is to both update to a secure version of OpenSSL AND to revoke and reissue their certificates.
Could we get a web team response here? Has any PWE infrastructure even been vulnerable to this in the first place?
Joined January 2009
Joined January 2009