eBay, Etsy, PayPal, GoDaddy and others had advice for online merchants who are worried about the Heartbleed bug that was made public this week. A bug in a system used by many ecommerce sites that was supposed to encrypt data such as passwords and credit card numbers means sites were vulnerable for the past 2 years, and by all accounts, it’s a disaster of massive proportions.
Small sellers should not assume the problem will go away by itself, according to one vendor. Z-Firm’s Rafael Zimberoff said it’s urgent that every ecommerce seller who has an open source or PHP-based system on their website take action immediately. Zimberoff is Product Manager for ShipRush, a tool to manage shipping and tracking on marketplaces and on ecommerce-enabled websites.
“Merchants need to own and solve the issue themselves,” he said. His advice for sellers who operate their own ecommerce website is spelled out in a blog post on the Z-Firm website.
Testing 10 random ZenCart and Magento stores that use ShipRush, Zimberoff’s team ran them through a vulnerability tester at filippo.io/Heartbleed. “Of the 10, three were found to have the vulnerability,” he said. “Most vulnerable are PHP-based systems that tend to run on Apache and related web servers. If you use any PHP app (zencart, magento, opencart, prestashop, woocommerce, etc etc), even if part of a hosted solution, but especially if you are responsible for the server, then you MUST pay attention.”
Etsy was the first and possibly the only major marketplace to post information for users about the Heartbleed bug publicly. Michael Rembetsy, Etsy Vice President of Technical Operations, wrote, “While at this time we have no indication that an attack against Etsy has occurred beyond proactive security tests, members who want to take extra precautions can take the following steps,” and he outlined a series of steps buyers and sellers could take on this Etsy blog post.
eBay did not post an announcement, but spokesperson Ryan Moore provided EcommerceBytes with the following statement: “eBay is aware of the security vulnerability identified in a version of Open SSL, also known as the Heartbleed Bug. The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace. Consumer safety is our top priority, and we will continue to monitor this bug to ensure our users remain protected.”
Amazon spokesperson Ty Rogers kept it short and sweet, saying Amazon was not affected by the Heartbleed bug. The company did publish a blog post about the bug on Tuesday for developers who use its cloud service to power their own websites.
PayPal published a blog post on Wednesday telling users their accounts were secure, that their account details were not exposed in the past and remain secure, and that there was no need to take additional action or change passwords.
“While we always advise our customers to be cautious and aware of the security of their personal and financial information, in this case we want to reassure you there is no need to be unduly concerned. When you login to PayPal using your user name and password these details were not exposed to the OpenSSL vulnerability.”
However, the company said its security teams did identify a “handful of businesses” that it recommended upgrade their Payflow Gateway integrations to eliminate the risk of vulnerability. The Payflow Gateway is a payment gateway for online merchants that links their websites to their processing network or merchant account. “We have already been in touch with the merchants who could potentially be affected and are working with them to upgrade their integrations,” wrote company Chief Technology Officer James Barrese.
PayPal rival Dwolla also said it was not affected by the Heartbleed bug in a post on the Dwolla blog. UK-based payments service Skrill, formerly called Moneybookers, did not provide a response by press time.
Hosting companies have been making a patch available for website owners if their servers are vulnerable. We asked GoDaddy’s Chief Information Security Officer Todd Redfoot if he had any advice for online merchants who use GoDaddy services in the wake of the Heartbleed bug. “We recommend online merchants confirm their IT provider has secured their service environment and then rekey their SSL Certificates. At GoDaddy, we do not charge to re-key our certificates, but some providers may require a fee. Once you’ve done these two things and installed the re-keyed certificate, you have defended yourself against the Heartbleed bug.”
Jimmy Rodriguez, CTO of 3dcart said the best thing merchants can do to protect their online store from the Heartbleed bug is to ensure that their ecommerce solution provider is PCI compliant – and, he said, it’s nearly impossible for merchants to become compliant on their own. “Any merchant using open source shopping carts like OS Commerce and Magento can be at risk because even though the software itself may not be a problem, the hosting environment itself could be responsible for causing the security breach.
“Part of being a PCI compliant hosting provider includes making sure that the operating system software is constantly updated, and that someone at the organization is constantly on the lookout for new security updates, as new ones appear on a regular basis. While companies will constantly test their software, and release patches, the hosting environment itself needs to be constantly monitored as well.”
Ecommerce web-hosting firm Volusion said it was never vulnerable since it doesn’t use OpenSSL. Steve Krebsbach, VP of Information Technology, told EcommerceBytes the company uses a combination of encryption methodologies, both proprietary and commercially available solutions, to protect sensitive data and sensitive transactions. “As part of our offering we enable our merchants to use any one of the following SSL providers, Symantec, GeoTrust, Thawte or Verisign.”
Would merchants who use payment processors on their Volusion stores be affected by the bug? “No customers using the Volusion Payment Services would have experienced any impact,” he said. More information is available on this Volusion blog post.
Be sure and stay tuned as more information becomes available as security pros continue to deal with the fallout from the Heartbleed bug.
Leave a comment on the EcommerceBytes Blog.