The Heartbleed bug left about half a million websites exposed.
- How to avoid 'Heartbleed' heartache
- Heartbleed: who knew what and when
- Seggelmann says he didn't insert Heartbleed deliberately
GE Money is recommending customers change their passwords in the wake of the Heartbleed security bug, which appears to have made vulnerable a number of GE's Australian websites.
Financial websites run by GE Money, including the Myer Visa Card and Myer Card portals, as well as Coles Mastercard, were vulnerable to the Heartbleed security bug, Fairfax Media can reveal. A number of other GE partner websites, including 28degrees Mastercard, were also vulnerable.
A security warning appears on Myer's website.
Many of the affected websites have since been patched against Heartbleed or are in the process of being patched. It's understood Coles patched its Mastercard website on the night of Wednesday, April 9. It put a new private encryption key on the website on Friday, April 11.
Do you know more? Email firstname.lastname@example.org
Being vulnerable to the security bug meant that the websites were potentially exposing financial details and log-in credentials up until recently, and that a hacker could have scooped up these private details prior to GE patching the flaw. As yet, there is no evidence to suggest the websites were compromised, although this doesn't mean that they weren't, as the Heartbleed bug left no logs according to the security researchers from Google and a Finnish firm who discovered it.
A similar warning appears on Coles MasterCard's website.
At least one Canadian government department, the Canada Revenue Agency, said on Monday that the ID numbers of roughly 900 people were stolen from its systems, which were left vulnerable by Heartbleed. The agency said everyone affected would receive a registered letter and free access to credit protection services.
Fairfax Media contacted GE Capital and Coles on Friday about Heartbleed affecting their sites.
"There is no vulnerability or issue with Heartbleed for any of our platforms," Coles spokeswoman Anna Kelly said then. "Our tests confirm, no recent or current vulnerability to Heartbleed."
The security advisory on GE Money's website.
After then showing Coles evidence on Saturday that the Coles Mastercard site was vulnerable, Kelly said on Monday: "We cannot discuss details of our IT security testing or processes for obvious reasons. However, we can confirm that our systems have not been compromised."
Kelly did not dispute the evidence that the Coles Mastercard website was vulnerable.
Since Fairfax contacted Coles, its website is now showing a "security update" that links directly to the GE Money website. The advice, which appeared on the site on Monday night, says that recent media reports concerning Heartbleed demonstrated "the need to ensure that you regularly change your online passwords".
"GE has taken precautions and steps to protect customer data from this [Heartbleed] threat and has no reason to believe that any customer data has been compromised," the advisory says.
"To change your password now, please click on the 'forgot your password' link…"
Furthermore, Coles Mastercard, Myer Visa Card and Myer Card websites now have new SSL certificates with Friday's date, meaning that they were all updated in the wake of the Heartbleed bug. The bug was officially disclosed by the team behind the open-source encryption software OpenSSL at 3.27am AEST on Tuesday, April 8.
Experts recommended SSL certificates - private keys only website owners are supposed to have - be changed if a site was vulnerable to Heartbleed, as the certificates may have been copied by hackers, and could be used to perform "man in the middle" attacks against customers to decrypt their internet traffic to reveal encrypted data.
A GE Capital spokeswoman told Fairfax on Friday the same advice that has since been put on GE Money's websites.
Myer said in a statement that it was "confident" that GE was able to protect its customers against the Heartbleed bug.
"[GE] has taken the appropriate action to protect customer data in line with industry best practice," a Myer spokeswoman said on Tuesday.
Further calls and emails for details from Coles and GE went unanswered on Tuesday.
Comment is also being sought from 28degrees Mastercard, as well as other GE affected partners.
The revelation that GE's financial websites were vulnerable to Heartbleed follows a source telling Fairfax on Monday that the Commonwealth Bank of Australia's main website was also vulnerable, but not its NetBank website. A CBA spokeswoman said on Thursday that the bank had "patched against the Heartbleed bug".
It's understood CBA's main website - commbank.com.au - used Amazon Web Services' Elastic Load Balancing, which Amazon indicated was vulnerable to Heartbleed.
Amazon has since patched against it.
The source said other CBA sites - such as Commbiz and Commsec - were not vulnerable to Heartbleed.
CBA's official statement and a separate blog have infuriated many customers on Twitter and in the blog comments, as it doesn't reveal which CBA websites were vulnerable to Heartbleed. Security experts said that if a website was vulnerable to Heartbleed and it handled passwords then that information should be changed.
CBA was ridiculed for its stock standard response to the Heartbleed fallout. To confuse matters, CBA's NetBank website has been offline since 10.30am AEST on Tuesday.
A number of other websites including the Federal Court's Commonwealth Courts Portal, JB Hi-Fi, Priceline, and Australia's Computer Emergency Response Team websites were also vulnerable to Heartbleed and have since been patched. A number of other Australian small business websites remain exposed and have not patched against Heartbleed.
"The Heartbleed bug has put personal information held on many systems running OpenSSL at risk," Australian Information Commissioner, John McMillan, said on Friday.
Professor McMillan reminded all entities covered by Australia's Privacy Act that they "must take reasonable steps to protect the personal information they hold".
"Part of those obligations would include regularly monitoring the operation and effectiveness of their [information and communications technology] security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of any personal information they hold," he said.
"Where a vulnerability has been identified, patches and software upgrades should be rolled-out as soon as possible. Once organisations have patched the Heartbleed vulnerability, the [Office of the Australian Information Commissioner] strongly encourages them to assist their users to change their passwords."
This reporter is on Facebook: /bengrubb