Possible MN Heartbleed vulnerability

(42 Posts)

MNHQ have commented on this thread. Read here.

cozietoesie Thu 10-Apr-14 10:17:35

Without wanting to start a scare where the reality of the problem might be limited, are MNHQ recommending a change of password to users given that Mumsnet looks at the moment to be one of the sites classified as vulnerable?

saintsalive Thu 10-Apr-14 10:19:35

I would like to know this too please.

meditrina Thu 10-Apr-14 10:21:36

OP: have you got a good list of sites found to be vulnerable?

Does MN even have a SSL?

cozietoesie Thu 10-Apr-14 10:26:38

Yes - it looks to have an SSL.

Here's an article on it. There's a list linked in towards the bottom of the article although you'll likely go goggle eyed trying to use it.

meditrina Thu 10-Apr-14 10:30:39

Curses! I was looking at the GitHub list earlier, and had hoped you might have found something easier to read!

cozietoesie Thu 10-Apr-14 10:31:52

Sorry. Maybe give it a few hours for someone to play around with it.

RowanMumsnet (MNHQ) Thu 10-Apr-14 10:32:09

Hello - we do understand people's concerns about Heartbleed; we've asked Tech for their viewpoint and will post it up when we have it.

cozietoesie Thu 10-Apr-14 10:34:58

Thanks Rowan.

ShamTech (MNHQ) Thu 10-Apr-14 10:47:51

Hi all. Thanks for your concerns.

Firstly, we already applied the fix to our servers shortly after the news broke. You can check for yourselves at filippo.io/Heartbleed - just type mumsnet.com into the field and hit the button.

Secondly, due to the fact that user passwords on Mumsnet are not revealed, not even to the user of the account, there is no way for anyone who may have been able to masquerade as you using the Heartbleed bug, to find out what your password is. And because they need to know your password to change your password, they would also not have been able to lock you out of your own account.

We have no evidence whatsoever of anyone's account having been compromised at Mumsnet. From Tech's point of view, you should not need to change your password.

cozietoesie Thu 10-Apr-14 11:06:07

Fast action, Tech. Well done.

meditrina Thu 10-Apr-14 21:14:33

(somewhat later on) - Thanks Tech! wine

meditrina Fri 11-Apr-14 18:28:03

A bump, given what's just happened and some posters wondering if it could be Heartbleed.

cozietoesie Fri 11-Apr-14 18:50:51

I did wonder a little.

cozietoesie Fri 11-Apr-14 19:00:39

Put it this way - I've changed my password.

Keepithidden Fri 11-Apr-14 20:15:55

Shamtech, you said this "Secondly, due to the fact that user passwords on Mumsnet are not revealed, not even to the user of the account, there is no way for anyone who may have been able to masquerade as you using the Heartbleed bug, to find out what your password is. And because they need to know your password to change your password, they would also not have been able to lock you out of your own account."

This is completely untrue.

This shows you don't actually know how the heartbleed bug works. There could have been some real damage done here, but instead an obvious joke thread was posted which alerted the community that security has been compromised.

The way heartbleed works is by dumping random bits of the server's RAM. The site is patched now, but the way that Justine's password was got could be applied to any other user logging in at the same time.

Signed.

Someone in the know ;)

slightlyglitterstained Fri 11-Apr-14 21:02:23

This is a nice explanation
xkcd.com/1354/

Agree with Keepithidden.

slightlyglitterstained Fri 11-Apr-14 21:05:32

And sitting here on my phone, I notice my connection is http anyway!

fuzzpig Fri 11-Apr-14 21:15:13

Blimey I hadn't even heard about this <technophobe
As an aside should I be concerned about online banking shock

ImAThrillseekerHoney Fri 11-Apr-14 21:15:30

So why has everyone suddenly been logged out?

ouryve Fri 11-Apr-14 21:46:39

Twice

MargotLovedTom Fri 11-Apr-14 21:49:37

I haven't got a clue what Heartbleed is but I was logged out about five minutes ago and have just had to log back in. Do I need to change my password?

cozietoesie Fri 11-Apr-14 22:05:27

It would do no harm to change it in any case, Margot, if the site is one that's had a fix put in.

ShamTech (MNHQ) Fri 11-Apr-14 23:49:04

Thanks to all for your patience and for bringing all this to our attention. As can be seen, we are as vulnerable as any other site using password logins. Despite our best efforts, somebody clearly took advantage of the published vulnerability before we applied the fix earlier this week. As Keepithidden points out the damage was thankfully minor. And whilst we do encrypt passwords on our side, if you do use the same password for other sites, it would be prudent for you to change your password.

In the next few days we will be posting some useful information for protecting yourself on the internet. Until then, thanks again for everyone's help in uncovering this and bearing with us. We'll keep doing our best to respond to these threats as quickly as we can.

slightlyglitterstained Sat 12-Apr-14 09:36:16

I use LastPass for a lot of passwords - it's a good way to manage your passwords, and it'll generate passwords for you for a new site and remember them for you, so there's no reason to reuse the same password for every site. (Reusing passwords is really not a good idea, it's like having the same key for your car, front door, work. Convenient, until someone nicks your handbag....)

It also lets you check what sites have been affected by Heartbleed so you can see what you need to change: blog.lastpass.com/2014/04/lastpass-now-checks-if-your-sites-are.html

MargotLovedTom Sat 12-Apr-14 10:51:09

Thanks cozietoesie

What if LastPass is hacked slightygliitterstained? wink

cozietoesie Sat 12-Apr-14 11:08:40

It's the risk you take using the internet - most sites are no safer than the size of the Chief Software Director's vulnerabilities. You just have to stay vigilant and exercise common sense as you should in the physical world.

(And sites like LastPass are several steps up from using 'Password' or your dog's name and your birthday - and then putting them on a yellow post it note on the fridge!)

moondog Sat 12-Apr-14 12:23:13

The safest thing to do is use one of the online checkers posted earlier in this thread to see if a site you use is still vulnerable to heartbleed. If it is - don't go changing your password there! A hacker could be listening and will see you do it. If however, the online checker says the site is safe, then it is safe to go change your password there and hackers will probably not be able to listen.

I hope you all stay safe on the internet smile

LastPass does seem the best bet. I use it, but have not yet gone all the way with huge unpronounceable passwords for each site.

As for lastpass getting hacked I was wondering about that myself, but I'm not sure it's possible. The master password stays on your PC so the site never really sees the cleartext.

Nanny0gg Sun 13-Apr-14 00:21:57

So, the email I've just received signed from Justine, telling me that all MN passwords have been deleted, to set a new one and make sure all other passwords are changed - genuine or not?

RafaIsTheKingOfClay Sun 13-Apr-14 00:54:19

genuine. You can do it through the link on this thread

yelwah Sun 13-Apr-14 05:20:42

Some sage advice on passwords https://xkcd.com/936/

And there is nothing wrong with writing passwords down, you have your bank account numbers written down on every statement and your bank cards, just keep the list somewhere safe, that means on paper, NOT in a Word document on your computer.

Keepithidden Sun 13-Apr-14 20:02:51

Well, this is interesting, someone has used the same user name as me! They also know a lot more about hacking than me too!

MN how does this work?

cozietoesie Sun 13-Apr-14 20:05:06

Yikes. email them directly.

cozietoesie Sun 13-Apr-14 20:06:13

Sorry - that should have read 'email MNHQ directly.'

noblegiraffe Sun 13-Apr-14 21:26:14

Keepithidden, the hacker who knew Justine's password also found out yours, and others. They posted as Justine to expose the problem, when tech didn't appreciate the extent of the vulnerability they logged in as you and some other posters too.

So they don't have the same username as you, they used your password and logged into your account.

Hopefully you have changed your password now so they can't do it again.

cozietoesie Sun 13-Apr-14 21:38:15

giraffe

That is the same user name used above on the thread. It bears checking out in any case.

DinoSnores Sun 13-Apr-14 21:51:50

cozie, it is the same username not because there are two distinct users with the same name, but because the hacker had Keepithidden's password, so logged in as them to leave Tech a message, so it is not the same user name as such, but the same account that has been used by someone else.

cozietoesie Sun 13-Apr-14 22:10:39

Oh I took that point, Dino. Rather depends on the behind the scenes timing doesn't it. (Any password changes etc.) And there have been some unsettling things happening.

It's best it's reported to HQ however - who knows what else they may have done with that account if they had it under control - so that Keepit can clear her name.

Eg-get rid of the suspicion of sending questionable messages to Tech! grin

noblegiraffe Sun 13-Apr-14 22:24:46

The person who hacked Justine posted about it on another forum, including the use of keepithidden's account to talk to tech.

They don't seem to have had any malicious intent, merely trying to get MN to accept the scope of the issue and force a password change.

It wasn't the same person as whoever posted the list of usernames and passwords on the internet.

cozietoesie Sun 13-Apr-14 22:27:12

Interesting - thanks giraffe.

(You mean there really was a questionable message to Tech? I just made that up! shock)

BIWI Sun 13-Apr-14 22:28:30

Do you have a link to that, noblegiraffe? I'd be interested in reading it

Keepithidden Mon 14-Apr-14 09:27:28

Thanks everyone, finally managed a password change.

Going to be interesting if I keep getting emails asking about Tech help from MN though. I'm not at all computer-savvy!

Join the discussion

Join the discussion

Registering is free, easy, and means you can join in the discussion, get discounts, win prizes and lots more.

Register now