Joomla

Announcement regarding Heartbleed Bug

Summary: Our software is NOT affected by Heartbleed bug

The last two weeks have seen frenzied posts and statements on the Heartbleed bug. It is a a major security flaw, discovered in OpenSSL, the encryption and secure communications library used by key components of web sites including the popular web servers Apache and NginX. Dubbed Heartbleed allows a remote attacker to read small chunks of server memory, potentially (but not necessarily) including the secret keys used to encrypt communications between the server and your browser. This problem can happen in a way that usually leaves no trace.

 

Before going into the details about the bug, let us made something clear. Our software depends on the Joomla for routing and does not use OpenSSL. As a result, J2Store is not affected due to Heartbleed. This bug only affects OpenSSL which is used by 66% of all web sites on the Internet to power their https:// URLs. If you are using an SSL certificate, please get in touch with your hosting service provider and get it replaced with a new one.

J2Store also does not store any financial information (like credit card details, Paypal login information) in the database. So you DO NOT have to worry about a leak of financial information. NO Important Financial Information is stored in your database or anywhere in your server. J2Store depends on the payment processors like Paypal, Authorize.Net to process the financial transaction.

In practical terms, security researchers have stated that they are not sure if the Heartbleed bug has ever been used in the wild. Heartbleed is nine parts mass hysteria and one part security issue.

Even if the attack was used in the wild and against a web server the attacker would have to perform a Man-In-The-Middle attack to eavesdrop the (encrypted) communications between the server and the client including the initial handshake to be able to decrypt the data being exchanged. This is a major concern for using the services of high-value targets (e.g. Google) but of practically no concern when using the services of a low-value target like the sites of Joomla! extension developers. Banks, payment processors and other financial institutions seem to have escaped unscathed as they were not using OpenSSL.

Even though our server, like 66% of the entire Internet, was using Apache which was affected by this bug, to the best of our knowledge no information has been leaked from it.

However, since prevention is better than regret we recommend you to change your passwords on all sites you have visited in the last two years, including our own. We still maintain that it's FAR more likely to have your password stolen by malware than by the result of the laborious exploitation of the Heartbleed bug.

In any case please bear in mind that we never store or process financial information directly on our servers. All financial information (credit card data, PayPal login information) is NEVER processed or even transmitted to our servers. We are using Paypal and 2Checkout as our payment processors and they were well established and protected and not susceptible to the Hearbleed bug.

Also, thank you for Nicholas K. Dionysopoulos (Akeeba Backup), who have written an excellent post on this bug and this announcement was based on his post.

Subscribe to get updates from us