The first thing you should know is that we checked our servers and determined that HelloWallet is not affected by that nasty Heartbleed Bug you’ve no doubt heard about. Our account aggregation partner, Yodlee, has also reported that they are not affected. We’re confident that your information is secure and no action is required on your part. That said, it’s always a good idea to change your password periodically and a good idea to use a different password for every website or application that requires one.
On Monday, April 7th, it was announced that researchers from Google and the security firm Codenomicon had discovered a long standing vulnerability (there since 2011!) in OpenSSL, a widely used open source software implementation of the SSL/TLS transport layer protocols for securing communications between two parties over the Internet. By some estimates, around half a million highly trusted websites are affected by this vulnerability, and perhaps as many as two-thirds of all websites.
If you take a look at the address bar in your browser when visiting a website and you see the lock icon and “https://”, there is at least the possibility that your private information could have been stolen. As far as security flaws go, this one is severe. What’s really scary is that OpenSSL is used not only in websites and applications, but also in hardware devices like wireless routers and Internet-enabled TVs.
The researchers say that, “without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, usernames and passwords, instant messages, emails and business critical documents and communication.” Here’s how that happens:
To get that lock icon to appear in your browser, your browser must establish a secure connection with the website you’re visiting. This involves a “handshake” during which both parties identify each other and agree upon the cryptographic parameters to be used to secure the data to be exchanged over the connection. In nerd parlance, this handshake activity is expensive. Once a secure connection is established, it’s beneficial to keep it alive and not have to re-establish it through subsequent handshaking. To keep the connection alive, an extension to the TLS protocol standard was introduced in 2012 that describes a “heartbeat” message that can be exchanged between the connected parties to say that they’re both there even if there’s no data being exchanged at the moment. When a system receives a heartbeat request, it is supposed to reply with a heartbeat response that simply echos what was sent in the request.
An attacker can exploit the Heartbleed Bug by sending a crafty heartbeat request to a website (or device) that uses a vulnerable version of OpenSSL. That vulnerable system sends back a response, but doesn’t simply echo what was sent in the request. Instead, it sends back to the attacker a whole bunch of additional information which could include a wide variety of private information that happens to be in the vulnerable system’s memory at the time. As the researchers say, this could be usernames, passwords, and other sensitive information which could then be used for evil. Big problem!
We take safeguarding your information very seriously at HelloWallet. Always know that we are thinking about your security.