Yesterday the Open SSL project announced a vulnerability, the Heartbleed Bug, that affects the majority of businesses on the Internet. Information that would normally be secure, such as user credentials or secret keys, is exposed by this vulnerability.
As soon as the vulnerability was announced, the Monsoon Commerce technical team began assessing impact and vulnerabilities across all products, platforms, and service providers.
Update, 4/10/2014, 4:00pm PT:
- Alibris and Alibris Hosted Sites were never vulnerable to this bug. We made a full assessment, and our portfolio of services either did not use OpenSSL, did not use a compromised version of OpenSSL, and/or were protected from the vulnerability by secure firewalls. Following industry recommendations and established security best practices, security certificates were reissued after the full assessment was completed.
- At this point no marketplace partners (including Amazon, eBay, Rakuten) have recommended updating credentials.
Update, 4/10/2014, 11:30am PT:
A number of our marketplace and technology platform partners have confirmed that they are secure, including the following:
If you use other marketplaces and eCommerce technology service providers, we recommend that you contact those companies to confirm that they are also secure.
Update, 4/9/2014, 4:00pm PT:
Applicable to Monsoon Commerce products and services:
- All systems are secured against the Heartbleed Bug.
- All security certificates that might have been compromised have been replaced.
- We are continuing to work with our marketplace and technology platform partners to make sure that they are also secure.
Update, 4/9/2014, 9:00am PT:
- We’ve patched all of our internal systems with the new, secure version of OpenSSL where necessary. Many of our systems were unaffected, as they do not use this content library.
- We’re working with our marketplace and technology platform partners to make sure that they’re also secure.
- We’re updating SSL Certificates as the next phase of securing information.
In the event that our partners need to reset their credentials, we have contingency plans in place and will communicate those as needed.
Our team of engineers will continue to respond to this issue until we’re satisfied that all vulnerabilities under our control are secure.
We will continue to update this post as information becomes available, including any steps you need to take to secure your information.