Posts Heartbleed

Tue 15 April 2014

Further to the recent discovery of a serious vulnerability in the popular OpenSSL cryptographic software Libbrary (Heartbleed CVE-2014-0160), CityPay can confirm that, since the public release of Heartbleed our public facing secure services were fully patched with the OpenSSL fix on the 9th April at 2.23AM, immediately after the information was made available.

The potential affect of Heartbleed is that an attacker could read the memory of an affected system which could potentially lead to the compromise of web server private keys, identity information such as usernames, passwords and any given content.

To this affect, CityPay have analysed its logs and are pleased to confirm that no suspicious activity related to this issue has been found. Whilst this is the case, we are treating the seriousness of this issue as very high. 

Whilst, Heartbleed affected only our front end web servers, CityPay handle security on many levels and not just SSL. For instance:

  • all of our HTTP calls are controlled by access control lists.
  • web application firewalls are deployed to ensure that any known web hacking techniques are blocked, logged and alerted
  • card data is protected as soon as it enters our network using high grade ciphers - not with OpenSSL!.

Clients who are also running OpenSSL on their network should run a test with the online test tool at https://filippo.io/Heartbleed

As a matter of precaution, CityPay has forced Merchant Control Panel users to reset their password on their next logon.

Should you require further information regarding Heartbleed please see http://heartbleed.com/

+44 (0)1534 884000