UAE e-commerce companies are reacting to last week’s announcement of a major security flaw in the widely used software, Open SSL.
Named, ‘Heartbleed’, the bug has reportedly gone undetected for about two years and could have affected an estimated two-thirds of all web servers which were using Open SSL meaning that millions of internet users security could have been breached. People are being urged to change their passwords and companies are being advised to check and upgrade their software. The bug was discovered earlier this week by Finnish security company, Codenomicon.
Omar Kassim, founder of online retailer JadoPado.com told itp.net that JadoPado’s infrastructure used an affected version of OpenSSL.
“We found out about the Heartbleed bug on the 8th of April at 10.00, and pushed out a fix to all our affected sites by 13.00, less than 12 hours after the bug was announced. We approximated that the bug was announced via a submission to the National Vulnerability Database in the US at 02.55. Our initial fix was to patch our OpenSSL version to the latest version that was made available when the bug was announced,” Kassim said.
“A few days later we re-issued our SSL certificate and are in the process of applying to revoke our previous certificate. We take security very seriously at JadoPado. To the best of our knowledge, no customer data has been exposed. JadoPado does not store any credit card data or customer sensitive data within its own infrastructure. We haven’t felt the need to advise customers as no customer data has been exposed.”
Online clothes store Namshi was also affected. Faraz Khalid, Co-founder and Managing Director at Namshi said: “Like Google, Amazon, and other major websites, Namshi was using up-to-date security software in which the vulnerability was discovered. We immediately patched the vulnerability and changed our security certificates as soon as it was released, and have no evidence any customer data was compromised. Furthermore, we do not store sensitive data such as credit card or payment information on our servers.”
Many local sites were not affected, including, e-Shopping Mall, Tejuri.com. Ayaz Maqbool, managing director for Tejuri said the site was not impacted as it usescommercially licensed software and security infrastructure, which does not use the encryption technology impacted by the HeartBleed bug.Nevertheless all Tejuri.com platform components were validated and certified for not having exposure to the Heartbleed flaw.
Heartbleed affects the OpenSSL standard used on servers to ensure data security. The flaw in the software library allows malicious actors to potentially access as much data as they can copy without leaving any digital fingerprints. OpenSSL is widely implemented across an array of devices including web-servers, mobile phones and smart-TV’s
Nicolai Solling, Director of Technology Services at Help AG said that the high profile of Heartbleed meant that most companies have taken steps to ensure they are not exposed.
“Organisations have been very busy on making sure they are not vulnerable,” he said. “We sent out communication from our support helpdesk and we are in constant touch, assisting customers addressing the impact of this vulnerability. More than 60 cases were opened in the last three working days and numerous devices have been patched, certificates re-issued etc…I would say that Heartbleed has definitely made the big press, both from the seriousness of the vulnerability itself as well as the link towards NSA spying, which was raised in the news.”