Heartbleed Vulnerability – Affected Online Banking, Social Media, and Web Apps

heartbleed-bug-list-of-afftected-web-apps Heartbleed, a newest addition to the list of bugs has been described as a catastrophe by Bruce Schneier, who in his blog post, wrote

On the scale of 1 to 10, this is an 11

and rightly so. We use the Internet today to have private conversation with friends and family, conduct businesses, and perform online transactions that are secured by encrypting traffic between a client (you) and the server using a set of protocols called Secured Socket Layer (SSL). SSL ensures that the communication between user and server is encrypted by exchanging a set of public and private keys. It is the digital version of two people having two keys to unlock a locked case. Heartbleed, a bug discovered by a member of  Google security team and  Codenomicon, strikes at the heart of SSL protocol: making a copy of the key to unlock that case and get access to whatever it is that you or the server have put in there.

Sounds horrible enough, right? Indeed it is. By far, any person or organization executing Heartbleed bug on server would’ve gotten access to major social media and banking applications and can exploit these services to get access to private information or committing financial fraud.

Fortunately there’s a way of knowing if any of your online services were affected or not so I spent a better part of last night creating a script that would check a list of social media and banking websites for openness to vulnerability. I’m putting up the list in this blog. If any web app you use is in the list of affected apps, you must change the password of those applications RIGHT AWAY. That is, of course, if you don’t want Neo to read your private conversation on Facebook or transfer all of your money into his account. I realize after knowing the seriousness of this bug, you are on the edge of your seat, waiting anxiously for the list. Well, here you go.

Update: The list has been updated with new statuses. 
Updated on: 15-Apr-2014 at 05:44 PM Pakistan Standard Time(GMT +05:00).

Online Banking Websites

Name Was it affected? Do you need to change your password? Is it patched?
Bank AL Habib Yes Yes No
Standard Chartered Bank Pakistan Yes Yes No
United Bank Limited Data Unavailable
Askari Bank No No Not affected
Allied Bank Limited Yes Yes No
Bank Alfalah Limited No Online Service
Burj Bank Vulnerability Doesn’t Apply
Citibank Pakistan Data Unavailable
Dubai Islamic Bank Yes Yes No
Faysal Bank Yes Yes No
Habib Bank Limited Yes Yes No
JS Bank Yes Yes No
Muslim Commercial Bank Limited Yes Yes No
Meezan Bank Limited Yes Yes No
Soneri Bank Yes Yes No
Summit Bank Yes Yes No
Tameer Microfinance Bank No Online Service
Barclays Bank Pakistan Yes Yes No
First Women Bank Data Unavailable
Habib Metropolitan Bank Yes Yes No
KASB Bank Vulnerability Doesn’t Apply
Al-Baraka Bank Data Unavailable
Bank Islami Pakistan Limited No No Not affected

 

Social Media Networks

Name Was it affected? Do you need to change your password? Is it patched?
Facebook Yes Yes Yes
Twitter Yes Yes Yes
Tumblr Yes Yes Yes
LinkedIn Yes Yes Yes
Pinterest No No Not affected
Stumbleupon Yes Yes Yes
Google+ Yes Yes Yes

 

Email Services

Name Was it affected? Do you need to change your password? Is it patched?
Gmail Yes Yes Yes
Hotmail Unsure. Could be, could be not You can change the password to be on the safe side
Yahoo Yes Yes Yes

 

Content Publishing/Blog

Name Was it affected? Do you need to change your password? Is it patched?
WordPress Yes Yes Yes
Blogger Yes Yes Yes
Medium Yes Yes Yes
Wikipedia Yes Yes Yes

 

B2B/B2C/C2C Websites

Name Was it affected? Do you need to change your password? Is it patched?
eBay Yes Yes Yes
PayPal Yes Yes Yes
Amazon Yes Yes Yes
SalesForce Yes Yes Yes
Freshbooks Yes Yes Yes

As you can see with the number of red rows in the list, Heartbleed has got almost every category of websites on the Internet that so proudly used SSL for encryption. The list shall keep on updating as I verify more websites. Let me know if you want the status of your SSL-enabled website via the comments section. Check back for more updates. Meanwhile, if, and I know that you do, have an account in any of these websites, CHANGE YOUR PASSWORDS NOW!

Basit Saeed

Passionately a software developer, Basit Saeed considers himself a person who believes in software and social media being the change agents of 21st century. He is a techy, a gadgets freak, and loves playing with code whenever he can. He tweets at @basit_saeed.

Advertisements

7 thoughts on “Heartbleed Vulnerability – Affected Online Banking, Social Media, and Web Apps

    • Qualys SSL checker are great for detailed certification validation, but they don’t have a propriety tool to check for Heartbleed attacks. My tests included automated testing and manual validation of certificates using header information and certificate issue dates.

      Like

  1. Thanks for a Local assessment of HeartBleed information. While the authenticity of information could be questioned, since it is not authorized by the governing body, another column of information could be added whether or not they have been patched.

    Once again, thanks for spreading the word out.

    Liked by 1 person

    • Thank you for reading and taking the time out to comment, Salman. The script I used to verify use authenticated protocols to look up vulnerability information in certificates. My only agenda behind putting up a list of affected businesses is to provide Pakistani users an insight into how bad the situation is with Heartbleed. Because, let’s face it, you can get a list of affected global websites like Amazon, Facebook, or Tumblr via a simple Google search. What you can’t find is the list of local businesses affected by the bug.
      I understand it must be difficult to trust the source, but then again, you can’t expect any governing body to back any sort of information on this as they’re probably unaware of the risk itself.
      Nonetheless, the idea of security on the world wide web is a leap of faith we put on these protocols to safely deliver and store our private information but when the likes of Google, Facebook, Amazon, and other giants are affected by a bug, it is safe to assume that security standards in websites developed for and in Pakistan is highly weak against this particular bug. All of this is a kicker to this: it only takes a few minutes to update your passwords and change other security-related information before it is too late. Better safe than sorry, right?

      Like

    • Yes, I do agree with you on updating the information. I had already set a time to run my script again and fetch the updated certificate information for all of the websites in the list above. Hopefully out banks will have taken necessary approach to nullify the risk of Heartbeat.

      Like

  2. Thanks for one’s marvelous posting! I truly enjoyed reading it, you’re a great author.
    I will make certain to bookmark your blog and
    may come back later in life. I want to encourage you continue your great writing, have a nice
    morning!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s