Heartbleed and CoinJar Security

We published an update about the Heartbleed Challenge on Monday, 14 April.

By now, you’ve probably heard of the ‘Heartbleed’ bug. It’s a serious bug in OpenSSL that allows an attacker to access information on a secured server. OpenSSL is an industry standard and is part of the backbone of Internet security.

While there’s not a lot of good news around this flaw, we are happy to confirm that we are not affected by the bug. CoinJar’s SSL sites were patched by our service providers prior to the exploit being disclosed. Once the announcement was made we also verified that none of our services were running any of the affected versions (OpenSSL 1.0.1 through 1.0.1f inclusive).

Although we aren’t affected by this flaw, many other organisations are. If you use your CoinJar password in any other place, we strongly recommend you change it as a precautionary measure. This serves as a timely reminder to use a strong, unique password for each of your Internet accounts and consider MFA (Multi Factor Authentication) as an added level of protection.

As always, please contact us via our Support Forum if you have any questions or concerns. You can learn more about Heartbleed here.

Please see the update we published about the Heartbleed Challenge on Monday, 14 April.

Update – Support Ticketing System

11 Apr 2014

In a blog post published yesterday, ENTP (the creator of CoinJar’s support ticketing system, named Tender) confirmed that Tender was never affected by the Heartbleed bug.

Information submitted to CoinJar Support via Tender is safe and sound.

Update – ID Verification Service

11 Apr 2014

CoinJar reached out to GreenID, our ID verification service provider, who confirmed that GreenID “are not using an affected version of the OpenSSL library“.

ID information submitted to CoinJar is safe and sound, and held in accordance with our Privacy Policy.

Comments (4):

  1. Joe

    April 10, 2014 at 12:31 pm

    Fantastic to hear that you were not affected. Any chance of adding yubikey support for 2FA?

    • Andrew (CoinJar)

      April 10, 2014 at 2:17 pm

      Hi Joe, it’s not something we support currently. I’ll pass the request on to our Security team for consideration.

  2. Ian

    April 11, 2014 at 3:18 pm

    That’s good that you patched the systems by the time the vulnerability was public, but what are your plans to renew your SSL keys.

    If I read correctly, you were running vulnerable SSL for a long time, and are relying on people not having known about the vulnerability, but have no way to verify your private keys weren’t stolen?

    • Aron (CoinJar)

      April 14, 2014 at 12:07 pm

      Hi Ian

      Thanks for the comment. We’ll be posting a response to the CloudFlare Heartbleed challenge later on today.

      We started the process of updating our certs last week and are currently waiting on our service provider. It is highly unlikely that anyone has stolen our private keys, but it is impossible to be 100% certain. This is the unfortunate reality of the situation, and everyone is in the same boat.

Comments are closed.