Customer Discussions > Gold Box forum

What is Amazon's status regarding Heartbleed virus?


Sort: Oldest first | Newest first
Showing 1-23 of 23 posts in this discussion
Initial post: Apr 9, 2014 6:09:12 PM PDT
Anyone (perhaps, Amazon?) know Amazon.com's status with regard to the Heartbleed virus?

Posted on Apr 9, 2014 6:14:05 PM PDT
OldAmazonian says:
[Customers don't think this post adds to the discussion. Show post anyway. Show all unhelpful posts.]

In reply to an earlier post on Apr 9, 2014 6:33:19 PM PDT
tonyS says:
What was Amazon's response when you contacted them?

Posted on Apr 9, 2014 6:44:42 PM PDT
This Gizmodo article says Amazon was not affected:

http://gizmodo.com/heartbleed-why-the-internets-gaping-security-hole-is-1560812671

Posted on Apr 9, 2014 6:47:41 PM PDT
MK Blue says:
Word on the street is mixed for Amazon: that Amazon.com is clean or safe or updated or however you want to put it. Or not.

Word also had it that some of their other stuff--the business ISP arena--was not so up-to-date as of earlier today, or yesterday.

https://lastpass.com/heartbleed has an app for testing the sites of concern.

Here's the response for Amazon.com:

"The SSL certificate for amazon.com valid 1 month ago at Feb 27 00:00:00 2014 GMT.
This is before the heartbleed bug was published, it may need to be regenerated."

In reply to an earlier post on Apr 9, 2014 7:10:39 PM PDT
Last edited by the author on Apr 9, 2014 7:14:30 PM PDT
Grumbler says:
[Customers don't think this post adds to the discussion. Show post anyway. Show all unhelpful posts.]

Posted on Apr 9, 2014 7:14:25 PM PDT
FF_Freak says:
Now .. there are lot of computers on the internet and only ~500 million were vulnerable... They recommend updating certs only because it is an unlogged procedure and if information was ever disclosed in the 2+ years machines were vulnerable .. machines too old and too new (like last 48 hours) aren't vulnerable... Also another thing to consider is many main stream load balancers were never vulnerable in that time period, and the back end servers may be un-encrypted (SSL offloading) traffic, meaning the vulnerability could never reach the server.. also most IDP/IPS cannot block all versions of this exploit (i.e. snort) based on the various ways it can be presented. Get to version g of openssl quickly. If 1.) in doubt, 2.) you match any of the below [source: www.heartbleed.com]:

Some operating system distributions that have shipped with potentially vulnerable OpenSSL version:

Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
CentOS 6.5, OpenSSL 1.0.1e-15
Fedora 18, OpenSSL 1.0.1e-4
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013
NetBSD 5.0.2 (OpenSSL 1.0.1e)
OpenSUSE 12.2 (OpenSSL 1.0.1c)

Lastly, some Apache and ngix servers could have had vulnerable versions installed with the product. Remember, not if you *ARE* vulnerable, it is *IF YOU WERE EVER* vulnerable. UPDATE OPENSSL / NEW CERTS (SSL and SSH), and for extra paranoia consider all accounts compromised - update passwords. This is because the exploit discloses a random "bag of cats" to the attacker and the attacker can reach in whenever they want... they might get stuff, they might not, or partial disclosures - whatever is in that 64kb chunk of memory they get back. Anything plain text in memory area returned is game for disclosure.

Yea, its pretty bad. Also Lastpass supposedly was one of those quasi things from what i read .. yes they were vulnerable, but in memory the data was always encrypted (good programming), so nothing was disclosed (if i got that right). Anyhow thats my belief that i know what i read, i am not saying everything is 100% true,. but to my knowledge that is what i believe i have read on the subject.

In reply to an earlier post on Apr 9, 2014 7:15:12 PM PDT
Grumbler says:
[Customers don't think this post adds to the discussion. Show post anyway. Show all unhelpful posts.]

In reply to an earlier post on Apr 9, 2014 7:30:01 PM PDT
OldAmazonian says:
..." there are no real juggernauts of internet commerce wrapped up in this, [>>>as far as we know<<<.] No Amazon, no Google, no Microsoft."

Perhaps some plain speaker would define "wrapped up in this, as far as we know."

In reply to an earlier post on Apr 9, 2014 7:41:09 PM PDT
Dave says:
""Perhaps some plain speaker would define "wrapped up in this, as far as we know.""

My pleasure! It means: "we don't know" ;-)

Posted on Apr 12, 2014 1:38:04 PM PDT
Narvey says:
These people (" there are no real juggernauts of internet commerce wrapped up in this, [>>>as far as we know<<<.] No Amazon, no Google, no Microsoft.") obviously don't know what they are talking about because Google was affected (http://www.engadget.com/2014/04/09/google-heartbleed-patch-info/).

http://aws.amazon.com/security/security-bulletins/heartbleed-bug-update/ has information about amazon web services, but I still don't know about the main amazon.com website.

Amazon, please let me know when it is time to change my password. An email would be nice.

Posted on Apr 14, 2014 7:14:48 AM PDT
George Giles says:
[Customers don't think this post adds to the discussion. Show post anyway. Show all unhelpful posts.]

Posted on Apr 14, 2014 7:35:51 AM PDT
Here is an article from mashable that compiles statements from a bunch of sites/services you may use:

http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

In reply to an earlier post on Apr 15, 2014 1:43:39 PM PDT
Last edited by the author on Apr 15, 2014 1:44:06 PM PDT
jbmonco says:
My new question based on this article: http://www.pcmag.com/article2/0,2817,2456523,00.asp
is does this impact any Kindle Fire models or KindleTV?

I have sent this inquiry to Amazon and will let you know what they say.

In reply to an earlier post on Apr 15, 2014 7:26:19 PM PDT
Gizmodo was wrong.

Posted on Apr 16, 2014 9:19:43 AM PDT
Dragonfly says:
Re Heartbleed:
This article/chart on BGR (April 15) lists major sites that were affected, and includes "Amazon Web Services" on its list needing new safer passwords immediately. There's also a link for a browser fix to warn of unsafe sites.

Email, financial and major shopping sites are listed.

http://bgr.com/2014/04/15/heartbleed-checker-passwords-change-list/

Posted on Apr 16, 2014 11:01:07 AM PDT
jbmonco says:
Amazon's response to my question on Kindle Fire and FireTV was not illuminating. They simply expressed their understanding that I wanted to know if my software was up to date and told me how to check it. Well...that was NOT my question, my question was whether Heartbleed is or was an issue on these devices at any version. So I tried to ask them that again. We shall see.

Posted on Apr 16, 2014 11:26:02 AM PDT
Gillian says:
Everything I have read says that the Amazon store doesn't use OpenSSL so was not affected on any platform, whether PC, Kindle Fire, Fire TV, phone, etc. Amazon web services, which was affected, is a completely different entity and does not affect Amazon.com. If you're worried, though, it never hurts to change your password.

In reply to an earlier post on Apr 18, 2014 7:05:59 PM PDT
Prospero says:
You need to find out which version of Android the device is using and then check. From what I have read, Amazon is OK but some Android OS's (of which kindle Fire devices use) had the issue. From a security release of mine:

"Heartbleed is a flaw in OpenSSL that could allow the theft of data normally protected on websites. Google recently announced that smart phones and tablets running the Android operating system 4.1.1 JellyBean are vulnerable. To see if your Android device is running this version go to the Settings menu, scroll to the bottom and select About Phone or About Tablet. "

Hope that helps/.

Posted on Apr 20, 2014 9:31:26 AM PDT
Very concerned about my Kindle Fire - original model. I can't remember having an OS upgrade on it. I have reset it to factory defaults, hopefully clearing my various passwords. I like the device but my Amazon password has money attached, so until I see it's safe I really can't use it for reading my Kindle library.

In reply to an earlier post on Apr 20, 2014 11:12:53 AM PDT
jbmonco says:
The problem is that Amazon devices use a version of Android OS so on the original Kindle Fire the version is 6.3.2_user_4110520 - what does that tell me, does the 411 at the end indicate it's an affected version? Amazon's response only told me how to tell if I had the latest version installed not how to tell if the version was vulnerable or if a previous version was vulnerable.

Posted on Apr 21, 2014 4:23:18 AM PDT
Gillian says:
Heartbleed affects websites using OpenSSL, and you should change your password on any sites that use the affected version (see upthread for links to find out which major websites are and aren't affected. Amazon.com is not affected). Your version of the Kindle OS doesn't matter, though upgrading to the latest version is generally good anyway, if it doesn't upgrade automatically. There is no need to do a factory reset or avoid using your Kindle library. You do not need to change your Amazon password, but it never hurts to change your passwords periodically anyway.

In reply to an earlier post on Apr 21, 2014 9:15:05 AM PDT
jbmonco says:
Heartbleed also affects a variety of Android devices. KindleFire and FireTV are android devices. They may or may not be affected based on the version of Android they run. Since it's an Amazon fork of Android, their version numbers do not match the reports on the version affected (4.1.1) leaving their status...inconclusive. I don't doubt Amazon will upgrade if they are affected and the upgrade will happen seamlessly--I'd just love to know what the status is.

While you are right that Amazon.com was not affected, many Amazon offerings WERE affected (amazon web services, for example). These services/APIs support other services (like Netflix, etc). so they will probably have their own designation as to whether they are affected.

As for Amazon.com...you don't need to change your password due to Heartbleed, unless you use that same password on other sites that were affected by Heartbleed. Me, I've changed my Amazon.com password.

It is important to distinguish between Amazon.com and other aspects of Amazon (e.g. Heartbleed, Android devices)
‹ Previous 1 Next ›
[Add comment]
Add your own message to the discussion
To insert a product link use the format: [[ASIN:ASIN product-title]] (What's this?)
Prompts for sign-in
 


 

This discussion

Discussion in:  Gold Box forum
Participants:  17
Total posts:  23
Initial post:  Apr 9, 2014
Latest post:  Apr 21, 2014

New! Receive e-mail when new posts are made.
Tracked by 7 customers

Search Customer Discussions