On April 7th 2014, information about a vulnerability in OpenSSL was released. Landscape.io has been updated to mitigate and protect against attacks on this vulnerability.
This means that an attacker could potentially read private keys, passwords or anything else in the memory of the system's process. A proof of concept which showed the ability to read other user's cookies from vulnerable servers sprung up within hours of the initial announcement.
The version of OpenSSL used on our site was patched within hours of the initial announcement of Heartbleed, and there is no indication of any attack against the Landscape.io site. However, given the severity of the vulnerability and the difficulty of detection of abuse, we have taken the following additional steps:
- OpenSSL was patched within hours of the announcment.
- We have revoked our previous SSL certificate and replaced it with a new one.
- All browser sessions have been reset, to prevent session hijacking should an attacked have gained access to user cookies. You will need to log in again via GitHub.
- Internal passwords and keys have been reset.
We are waiting for GitHub to annouce a way to request new OAuth tokens automatically. The GitHub API developers have added a new API call to renew OAuth tokens. All Landscape OAuth tokens have now been reset.
Keep an eye on the Landscape.io twitter account for updates and progress information on this issue.