You’ve probably heard by now of Heartbleed, a critical flaw in the de-facto security component used by most web services. This flaw makes it possible for attackers to access part of the memory of servers using OpenSSL for encryption, and steal data from it.
Over the weekend, a few members have asked us where we stand on the issue.
In short, PhotoDeck relies on the affected component, but we took the appropriate steps swiftly, and don’t believe there is a meaningful risk to your data. As a precaution, it is always a good idea to change your password, and especially to make sure you don’t re-use the same password across different services.
This is not the first (nor the last) time in PhotoDeck’s lifetime that a major security bug surfaces. We actively monitor security issues on a continuous basis and make sure we are able to react swiftly when such issues arise.
As a result, we were able to implement a correction to our system as soon as it was available, within about 21 hours of the bug being announced. This is a relatively short window, and from a hacker’s viewpoint there were far higher-profile targets to exploit than PhotoDeck. We have no evidence of data being compromised.
Still, what is the risk exactly?
PhotoDeck does not process (and therefore we don’t store) credit card numbers, and all financial traffic goes directly to our payment providers, so no financial data is accessible through PhotoDeck. In fact, in our setup the affected component only has access to data in transit (active sessions), not to the database. Similarly, the image and video files are out of reach.
Nonetheless, in theory, some users login credentials could have been compromised. So as a precaution, you can change your password (ME / Change my password).
More importantly, make sure that you don’t reuse the same password across services.
We will keep monitoring closely the Heartbleed situation, as well as security issues in general.