Ina Steiner EcommerceBytes Blog
News and insight focusing on ecommerce.
by Ina Steiner, Editor of EcommerceBytes.com
Wed Apr 9 2014 21:08:01

Chasing Down the Heartbleed Bug for Online Merchants

By: Ina Steiner

Sponsored Link

After spending the past two days wading through reports on the Heartbleed bug and reaching out to companies to see how their merchant customers were impacted by the security vulnerability that unknowingly existed for the past two years, it's difficult to know just how much trouble we're all in.

Online marketplaces and payment services were placating, telling me either they were never impacted by Heartbleed or reporting that patches were in place, so buyers and sellers had nothing to worry about.

But for merchants who run their own ecommerce sites, the news may not be as reassuring (even if some of those reports turn out to be giving users a false sense of security). ShipRush product manager Raf Zimberoff exuded a sense of urgency that merchants who use open source or PHP-based system on their websites take immediate action.

And, he named names.

"If you use any PHP app (zencart, magento, opencart, prestashop, woocommerce, etc etc), even if part of a hosted solution, but especially if you are responsible for the server, then you MUST pay attention," he said.

If you pay a company to host your website server, make sure they've issued a patch - you may need to implement the patch yourself, or they hosting company may have done it for you.

Many ecommerce-related companies did not post anything publicly on their blog posts. Kudos to Etsy and PayPal for being among those who did.

You can read EcommerceBytes coverage here (today's story) and here (Thursday's issue, which includes comments from eBay, etc.).

Let us know what questions you have and advice you care to share with your colleagues.




Comments (11) | Leave Comment | Permalink

Readers Comments

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: The End

Wed Apr 9 22:16:33 2014

I've just asked my cart provider what actions they've taken.
We'll see what they have to say.
I understand a patch can be applied.

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

by: KathleenJohnson This user has validated their user name.
Web Site

Thu Apr 10 05:33:03 2014

I am amazed that none of the eCommerce sites have formerly addressed the Sellers yet with reassurances of any kind.

I paid my Cell Phone bill yesterday with much trepidation. If I am nervous - then so are our buyers.......

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

by: wallflower This user has validated their user name.

Thu Apr 10 06:13:24 2014

Ryan Moore said "The vast majority of our services were not impacted...".
Well, which ones WERE impacted???

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: Anonymous Annie

Thu Apr 10 11:54:42 2014

Fortunately, my ecommerce site was not one of the ones affected by the HeartBleed bug.

After we heard about it, my husband logged in to the server's admin pages and reviewed our settings and software versions. It's all good!!

The online test shows that we're in good shape too... so I posted a detailed announcement on my site's FAQ page to reassure my customers. (I also linked to the announcement from the site's home page.)

I hope this will help to alleviate any fears that customers may have.  

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: Basset

Thu Apr 10 13:09:58 2014

Basically I'm still ping-ponging between the conflicting advice of ''Change your password'' and ''Wait to change your password''.

Thanks Ina & Dave for keeping us up to date on this story, I've been following it online with interest but you guys do a good job of outreach to all levels of tech ability.

Has eBay addressed it further? More of  ''we're all good!'' instead of  Moore's  '' The vast majority of our services were not impacted and our users can continue to shop securely on our marketplace.''  

Hmmm... define ''vast majority''.

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: Puck

Thu Apr 10 14:00:31 2014

I logged into PayPal this morning and there's now a brand new Captcha page between the landing page and the account page.

Hmmmmm

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: Philip Cohen
Web Site

Thu Apr 10 14:15:13 2014

@Basset,

You can always tell when an eBay or PayPal spokesperson is being disingenuous—their lips are moving! ...

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

by: charcorvet This user has validated their user name.

Thu Apr 10 14:56:40 2014

I called Paypal yesterday because of a glitch we kept getting and was told they weren't affected by it but there were other security issues...so...........

I changed my passwords any way cause it was 60 days since I played with them.

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: The End

Thu Apr 10 15:53:37 2014

Easy Peasy  :o)
Just got the New Patched EV-SSL certificate.
Here's to a prosperous season !

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

This user has validated their user name. by: iheartjacksparrow

Thu Apr 10 22:29:34 2014

Agree with Basset. This morning it was "Change your password now!" but by noon it was "Experts say don't change your password!" I hope there will soon be a consensus about what we should be doing.

Perminate Link for Chasing Down the Heartbleed Bug for Online Merchants   Chasing Down the Heartbleed Bug for Online Merchants

by: SusanO This user has validated their user name.
Web Site

Fri Apr 18 10:05:08 2014

Volusion is a particularly good choice for customers who are looking for a secure eCommerce framework that will ensure its clients and its business are protected. Multiple layers of security: DDoS solution including cloud-based and on-premise and edge routers to prevent attacks and provide efficient processing by network security devices. There are multiple layers of firewall protection. Network segmentation and security zoning to ensure that security threats are localized, and the impact is minimal.

In addition, Volusion offers man other tools, design factors and configuration and set-up techniques to protect its customers and their clients and partners: OS Based Security Configurations, Application-Based Security Configurations, Anti-Virus/Anti-Malware, Vulnerability Scanning, File Integrity Monitoring, Event Monitoring and Correlation, Redundancy, Failover and High Availability, and ongoing assessment, analysis and monitoring. The Volusion team provides its clients with an information security team, and a 24/7 security operations center, as well as external auditors and a computing security incident response team.  

One of the reasons that Elegant MicroWeb clients choose Volusion design is to protect proprietary information, confidential data and customer and stakeholder satisfaction.
Volusion Design



Login is required to post comments.
To sign in to leave a comment using your AB Verify User Name, fill in the form below. If you have not yet signed up for AB Verify, or if you'd like more information, go to the Registration Page
.

Login for AB Verify
Be sure and use your email address and password to log in.

 
Email:
Password:
 
 Forgot Your Password?
 Even though you are signed in with the AuctionBytes Blog, you will have to sign in to the EcommerceBytes blog. But you can sign in with your existing AB Verify info.