Oban Conversion and the Heartbleed bug
What is Heartbleed
Heartbleed is a bug in certain versions of OpenSSL the software underpinning most secure communications over the web, including HTTPS connections to the Oban Conversion tool. The bug enables an attacker to remotely read the server’s memory potentially scraping keys, passwords and other sensitive information, without leaving a trace. OpenSSL is included in most Linux distributions and a multitude of other network devices where secure communications are needed.
How was the Oban Conversion tool affected?
The Oban Conversion tool uses secure communications at multiple points.
1. The main script is hosted on Akamai CDN
2. The backend servers are fronted by an SSL loadbalancer
3. The backend HTTPS servers accept SSL connections
As of yesterday, we have taken the following action:
• All these vulnerable points have been patched
• We have run through the system and have found no evidence of being hacked.
• We are putting our tool through professional penetration testing, to highlight any other potential security issues
Why is this important?
The Oban Conversion tool uses a script tag on the client’s site (much like Google Analytics or Adobe SiteCatalyst). This script tag allows us to make changes to the site on the fly, exactly how we do testing. In theory should an attacker gain access to the client’s Oban Conversion tool, malicious code could be inserted on the site. This code could do anything including:
• Redirect visitors to a phishing page
• Scrape sensitive details from the site (e.g. passwords/credit card details)
The Oban Conversion team take vulnerabilities such as this seriously and urge you to change your password immediately.
What else do I need to know?
Oban Conversion is by no means exclusively affected by Heartbleed. Please see http://heartbleed.com for a full description of the bug and how it may affect your servers or personal information (e.g. banking).
For any concerns regarding the Oban Conversion tool, please contact your account manager or [email protected]