Origin Site, EA/Mythic Account Site, and Heartbleed

[GalenKnighthawke]

Does anyone happen to know if the Origin site and/or the EA/Mythic account site or both were vulnerable to the "Heartbleed" security issue?

If they were, does anyone happen to know if they have plugged the hole?

-Galen's player

 

[DJAd]

Good luck anyone trying to change their password on the EA/Mythic/Origin website. Maybe now is the ideal time to change that utter **** billing system to something new.

 

[The Zog historian]

You can enter URLs here to check: https://lastpass.com/heartbleed/

It identifies origin.com as vulnerable because it uses Apache server and OpenSSL.

 

[Spiritless]

You can enter URLs here to check: https://lastpass.com/heartbleed/

It identifies origin.com as vulnerable because it uses Apache server and OpenSSL.

That tool is using a really poor detection method for this vulnerability. Just because a server is using Apache and OpenSSL certainly doesn't make it automatically vulnerable to this problem.

I've tested origin.com and it is reporting as not vulnerable. It may have been in the past, though, as they could have recently patched it. Or, it may never have been. They'd have to answer that directly. It doesn't appear as though they've regenerated their certificates though so if the site was vulnerable then the private keys could be comprimised.

 

[kRUXCg7]

Good luck anyone trying to change their password on the EA/Mythic/Origin website. Maybe now is the ideal time to change that utter **** billing system to something new.

Tried that not long ago and it did not work. A friend of mine had troubles, too. Also tried the "I forgot my password" option, did not work either. Some useless error message when trying to save a new password from the link in the email.

 

[The Zog historian]

That tool is using a really poor detection method for this vulnerability. Just because a server is using Apache and OpenSSL certainly doesn't make it automatically vulnerable to this problem.

I've tested origin.com and it is reporting as not vulnerable. It may have been in the past, though, as they could have recently patched it. Or, it may never have been. They'd have to answer that directly. It doesn't appear as though they've regenerated their certificates though so if the site was vulnerable then the private keys could be comprimised.

Actually, running OpenSSL is the highest risk factor. That's why the test's point, the only point, is to see if a site has been/still is vulnerable based on what's running on the server. There is no test, apart from what a website's own admins can do, that can tell if any given site has been exploited against. A corollary is determining someone's risk for HIV: "Are you promiscuous?" or "Do you share needles?" do not test for the actual guarantee infection, but it can give someone an idea if he should get tested.

This is why Microsoft's statement said: "Microsoft Azure Web Sites, Microsoft Azure Pack Web Sites and Microsoft Azure Web Roles do not use OpenSSL to terminate SSL connections. Windows comes with its own encryption component called Secure Channel (a.k.a. SChannel), which is not susceptible to the Heartbleed vulnerability."

The next paragraph explains that one might be vulnerable, however, if "running Linux images in Azure Virtual Machines, or software which uses OpenSSL..."

 

[Spiritless]

You are incorrect on almost everything you've said.

1) Only specific versions of OpenSSL are affected by this vulnerability. They are 1.0.1, 1.0.1a through to 1.0.1f inclusive. 1.0.2-beta is also affected but this isn't a stable release. 1.0.1g is the fixed version. Many sites running OpenSSL are absolutely fine by virtue of the fact they are not, and never were, using a vulnerable version.

2) There is a very specific test which can be performed that shows precisely whether a web server using OpenSSL is vulnerable to this. That is, quite simply, trying to send a malformed SSL heartbeat packet and observing the server's response.

 

[The Zog historian]

You are incorrect on almost everything you've said.

1) Only specific versions of OpenSSL are affected by this vulnerability. They are 1.0.1, 1.0.1a through to 1.0.1f inclusive. 1.0.2-beta is also affected but this isn't a stable release. 1.0.1g is the fixed version. Many sites running OpenSSL are absolutely fine by virtue of the fact they are not, and never were, using a vulnerable version.

2) There is a very specific test which can be performed that shows precisely whether a web server using OpenSSL is vulnerable to this. That is, quite simply, trying to send a malformed SSL heartbeat packet and observing the server's response.

I'm hardly "incorrect," whether "almost everything" or not. I was speaking in a very broad sense about "running OpenSSL," because most on this forum don't need or don't care about the particulars. Do you note the original question? It wasn't about whether Origin or EA are running vulnerable versions of OpenSSL, but the broad question that 99.9% of users are asking. It's a rare home user will ask, "Hey, has the admin patched the latest fixed version of OpenSSL?"

That web-based test, and any others, merely look for, ahem, if a server is running potentially affected software. Which do you think a home user is going to do, run a script (David Grant from the EFF has one to test multiple servers), or do a relatively simple web-based test? If a site has been "possibly" affected, then someone can go through the routine of changing passwords, checking any statements, and so on. Similarly, only high risk factors for HIV warrant the expense of a genuine test.

But in the end, the only way to determine if a site has indeed been compromised, not just has been vulnerable, is by its admins themselves. I seem to remember saying something about that.

 

[Winter]

Lastpass reports accounts.eamythic.com as Now Safe

So, the accounts server has been updated. Was it safe (and our passwords) before? Not sure.

On a related note - no site or server has been reported attacked via this vulnerability.

 

[GalenKnighthawke]

Lastpass reports accounts.eamythic.com as Now Safe

So, the accounts server has been updated. Was it safe (and our passwords) before? Not sure.

On a related note - no site or server has been reported attacked via this vulnerability.

I am glad for both but I am sure you will appreciate the importance of a sense of caution.

-Galen's player

 

[GalenKnighthawke]

Lastpass reports accounts.eamythic.com as Now Safe

So, the accounts server has been updated. Was it safe (and our passwords) before? Not sure.

On a related note - no site or server has been reported attacked via this vulnerability.

Origin.com still shows as possibly vulnerable, however.

-Galen's player

 

[Spiritless]

I'm hardly "incorrect," whether "almost everything" or not. I was speaking in a very broad sense about "running OpenSSL," because most on this forum don't need or don't care about the particulars. Do you note the original question? It wasn't about whether Origin or EA are running vulnerable versions of OpenSSL, but the broad question that 99.9% of users are asking. It's a rare home user will ask, "Hey, has the admin patched the latest fixed version of OpenSSL?"

Err, actually the original question was precisely whether EA/Origin were vulnerable and whether the admin had patched it...

As I said, the tool you linked identified them as vulnerable. This isn't accurate. Neither are leaking data which shows the presence of the heartbleed vulnerability. As I also said though, whether they were vulnerable previously is another matter. The origin.com SSL certificate was generated prior to the release of this bug so if it was vulnerable, those private keys could now be exposed. Interestingly, it appears as though the cert attached to accounts.eamythic.com was generated yesterday which indicates an attempt at mitigating the exploit after patching (which may suggest it was previously vulnerable.)

That web-based test, and any others, merely look for, ahem, if a server is running potentially affected software. Which do you think a home user is going to do, run a script (David Grant from the EFF has one to test multiple servers), or do a relatively simple web-based test? If a site has been "possibly" affected, then someone can go through the routine of changing passwords, checking any statements, and so on. Similarly, only high risk factors for HIV warrant the expense of a genuine test.

Actually, there are now web-based tests which are specifically aimed at checking for this vulnerability. No scripts needed:

http://filippo.io/Heartbleed
https://www.ssllabs.com/ssltest/analyze.html

But in the end, the only way to determine if a site has indeed been compromised, not just has been vulnerable, is by its admins themselves. I seem to remember saying something about that.

Unfortunately, since this exploit leaves no trace of its operation on the server, even administrators cannot tell if they have been compromised by this issue. From a security perspective, it is always best to assume the worst case and if a vulnerable version was known to be used then users should change their passwords and admins should patch and regenerate their SSL certificates accordingly (which appears to have been precisely what they have done for the accounts.eamythis.com domain.)

Of course, that advice applies to users too. Changing your passwords and assuming the current passwords you're using are comprimised won't do you any harm.

On a related note - no site or server has been reported attacked via this vulnerability.

There are probably thousands of them being attacked by it right now after its public disclosure. The Yahoo servers were used in one of the initial tests to retrieve passwords.

 

[Winter]

...

Of course, that advice applies to users too. Changing your passwords and assuming the current passwords you're using are comprimised won't do you any harm.

I does no good to change passwords before the servers are patched. If you are worried about this vulnerability, anything you type to a vulnerable server can be intercepted.

 

[Spiritless]

That is true. But, as I've said, the account management domain is not presently vulnerable and had its certificate regenerated yesterday.

EA should probably clarify this themselves to all of its users, beyond UO, really since it looks very likely they have at minimum took preventative measures by regenerating that cert. The status of origin.com, since it has an old cert, is a relevant point of interest especially.

 

[The Zog historian]

Err, actually the original question was precisely whether EA/Origin were vulnerable and whether the admin had patched it...

As I said, the tool you linked identified them as vulnerable. This isn't accurate. Neither are leaking data which shows the presence of the heartbleed vulnerability. As I also said though, whether they were vulnerable previously is another matter. The origin.com SSL certificate was generated prior to the release of this bug so if it was vulnerable, those private keys could now be exposed. Interestingly, it appears as though the cert attached to accounts.eamythic.com was generated yesterday which indicates an attempt at mitigating the exploit after patching (which may suggest it was previously vulnerable.)

My point was that the original question was very general, not asking about any OpenSSL versions. Most home users don't care what particularly needs fixing or what needs to be, just that it is.

You realize, don't you, that you just implied origin.com may have been vulnerable? I myself wasn't paying attention to the dates of EA's certificates, but that's interesting. At least it appears someone heard early enough for them to check.

Actually, there are now web-based tests which are specifically aimed at checking for this vulnerability. No scripts needed:

http://filippo.io/Heartbleed
https://www.ssllabs.com/ssltest/analyze.html

That's now (in fact I had been checking out the latter link a while ago). But when someone asked in the early morning, I was giving an answer that was valid as an assessment of general risk. That's hardly "incorrect" in "almost everything," don't you think?

Unfortunately, since this exploit leaves no trace of its operation on the server, even administrators cannot tell if they have been compromised by this issue. From a security perspective, it is always best to assume the worst case and if a vulnerable version was known to be used then users should change their passwords and admins should patch and regenerate their SSL certificates accordingly (which appears to have been precisely what they have done for the accounts.eamythis.com domain.)

Of course, that advice applies to users too. Changing your passwords and assuming the current passwords you're using are comprimised won't do you any harm.

There are probably thousands of them being attacked by it right now after its public disclosure. The Yahoo servers

I was again talking in a general sense about "only admins can know." Sometimes they can't, of course. It's this kind of exploit that makes an admin's hair fall out, but the regular home user still had tests early on for determining if a specific site could have been compromised.

 

[Spiritless]

Putting aside the issue of who/what was correct or incorrect, I believe and hope the discussion that followed has clarified some things to everyone both about the vulnerability and the status of EA's servers.

Again, I reiterate, EA should really be making a statement themselves about this issue and informing their customers as many companies who hold sensitive data have already done.

 

[Sauteed Onion]

 

[The Zog historian]

I'll just say that I never go into a thread thinking "who" is correct, just "what" is correct. And I never make it personal unless the other does. ;D

 

[GalenKnighthawke]

Sex references and egos aside....I think we really should know about this stuff. I mean this isn't the usual "this is my priority and I think everyone should care as much as me." This is something that has the internet security crowd really creeped out. With excellent reason.

-Galen's player

 

[Sauteed Onion]

Sex references and egos aside....I think we really should know about this stuff. I mean this isn't the usual "this is my priority and I think everyone should care as much as me." This is something that has the internet security crowd really creeped out. With excellent reason.

-Galen's player

I'm not sure about who is making sex references but if my video leads somebody to believe that nope.
In reality this has been going on for years, and the people who decide what stories to run and when in the A.P. knew about it, and very unfortunate people knew about it, but the information at least by the press (not to mention companies with their future to consider) is held until the breaking point where either enough people know enough to let everybody else know and cause a panic or two it would be a ratings success and advertisers would pay out precious $$ to get eyes on their Rosland Capital commercials and political campaign shorts.

Yeah it is creepy though. But it's not like something that just happened one night and now we're all being exploited like never before. It's been going on.

 

[Promathia]

It would be really nice to get an answer about this.

Blizzard has informed its players that they are fine. Arenanet has posted about it to their Guild Wars 2 players. Minecraft has let people know it was at risk...ect ect.

 

[GalenKnighthawke]

Good news is that another site, SSLLabs.com or something, gave Origin.com a pass for Heartbleed (said was not vulnerable).

Bad news is that SSLLabs gave Origin.com an F overall for other reasons.

*chuckles and sighs*

We're doomed. Oh well.

-Galen's player

 

[GalenKnighthawke]

2 of the 3 places I know of that check for this say that origin.com either is clear or never was vulnerable. The third says it isn't sure and that its security certificate was dated from before the discovery of the vulnerability.

Sadly I think that's about as good as we're likely to get with EA being EA.

It's really pretty sad what a war zone the Internet is these days. And pretty sad how EA is most of the time.

-Galen's player

 

[GalenKnighthawke]

When you type in EA heartbleed into Google, the first hit is this thread.

I'm famous! For a pretty ****ed up reason though.

The 2nd hit is about the same thread on the SW:TOR boards.

Eventually you get an announcement from Pogo (that's EA too, right?) that says Pogo's secure.

-Galen's player

 

[G.v.P]

You can enter URLs here to check: https://lastpass.com/heartbleed/

It identifies origin.com as vulnerable because it uses Apache server and OpenSSL.

Here's another good resource:
http://www.extremetech.com/computing/180261-heartbleed-which-passwords-you-should-change-right-now

Pinterest (yes, I use Pinterest ;P) sent users a direct E-Mail asking for users to change their password. What a **** storm. I guess we have to pretty much change all our passwords lol.

Tried that not long ago and it did not work. A friend of mine had troubles, too. Also tried the "I forgot my password" option, did not work either. Some useless error message when trying to save a new password from the link in the email.

I recently lost all of my AIM accounts and my old AOL E-Mail account due to what most people believe is an AOL-based reset, but now I wonder if it has to do with Heartbleed. Meh.

Anyway, happy birthday . .