|VoyForums News and Updates|
- Thursday, April 10, 2014: Announcement of "heartbleed" vulnerability in OpenSSL
- An announcement was made on April 7th of a vulnerability in the
open-source "Secure Sockets Layer" software, OpenSSL. This software is used
by us at Voyager, as well on servers around the world, including Yahoo!,
Imgur, and Google. Google points out that, "Search, Gmail, YouTube, Wallet,
Play, Apps and App Engine were affected."
- VoyForums software has been updated with the security fixes, and we
recommend you change your password(s).
- About the vulnerability:
- The bug allowed those who could exploit it to get a random chunk of
memory from the server (whatever data happened to be in that chunk of
memory). They could repeatedly do this, apparently, gaining access to
various random chunks of memory, but they could not actually choose which
memory they received. On VoyForums, this could have include usernames,
passwords, IP addresses, or email addresses (if transferred in either
direction). This also includes information your browser sends "behind the
scenes" between itself and the websites you visit (in cookies, and the "HTTP
header"). Thankfully, we removed our pay services almost completely several
years ago, and also entirely stopped accepting credit cards several months
ago (before the vulnerabilty became publicly known). Nevertheless, the bug
has existed since December 31st, 2011 (see the last note in this news
- Please keep in mind, stored data on our server is not available through
this bug, only information being accessed by the webserver software itself.
Our software runs separately from the webserver, so only data passed through
the web server or accessed by it, itself, was prone to exposure (this
includes the possibility that a webserver's private SSL (https) key is
exposed). We have updated our server software as well as established new
keys in our secure servers.
- While the vulnerability was announced on April 7th, 2014, it has existed
in the OpenSSL software since December 31st, 2011. It is possible that
systems around the world were succeptible to data leakage for this time if
any groups discovered the bug. It is worthwhile to note that many if not
most large financial institutions do not use OpenSSL, but as mentioned above,
even Google Wallet was apparently affected in some way. Please see GitHub's
list of the top 1000 sites to see if a site you use is affected, Wikipedia's page on the
Heartbleed bug for an overview, and some
responses from various sites about their affected systems. Of course,
please also do a web search for "heartbleed" if you wish to read more about
- Sunday, April 6, 2014: VoyForums delays expanding/opening members system
- We have been working on our member system to allow open access for all visitors, but we are delaying this
into next week in order to address security features due to the recent spam attacks on our system.
- [ Older news: VoyForums News Archive ]
Future updates to this page will be found at the
VoyForums News Page.
VoyForums(tm) is a Free Service from Voyager Info-Systems.
Copyright © 1998-2017 Voyager Info-Systems. All Rights Reserved.