Upgrade to Chess.com Premium!

Chess.com vs the Heartbleed Bug

As many of you already know, a major security flaw (now commonly known as "Heartbleed") was found in a popular software library used by 1000s of popular websites, including Chess.com. After learning about the issue, our engineers quickly patched it: At present, Chess.com is no longer vulnerable.

We have no evidence that private customer data was ever accessed using this vulnerability, but as a precaution we are asking all of our customers to reset their passwords. Click here to change your password.

Because this bug affected so many websites, we suggest changing your passwords on other web-based services as well. Better safe than sorry.

- The Chess.com Team

Comments


  • 4 months ago

    Conflagration_Planet

    Darn!

  • 6 months ago

    saratonga

    I should also add, that IF a site was vulnerable AND the private key was obtained by a third party, that this key can be used to decrypt all past traffic (if it was intercepted) and future traffic as long as the same key pair is used. So if you have changed your password, it was potentially encrypted using this potentially broken key. This of course means that your new password is not safe.

  • 6 months ago

    saratonga

    When you log in, this happens via https:// You can then click on the lock icon in the address bar to find out more information about the certificate (along with the public key that was used to encrypt your info along the way. This is fine. The public key is supposed to be known to the public, hence the name).

    If this certificate is older than a few weeks AND chess.com was affected by the bug (which is the case), then it is possible (and from a security standpoint it has to be assumed) that someone got a hold of the private key of the server during the window of vulnerability (almost 2 years). This procedure leaves no traces in the log files either.

    This private key can be used to decrypt information you send to chess.com (likewise this is true for other sites). This would include login info as well as anything sensitive (such as cc data).

    It is possible to re-key a certificate (keep the certificate with a new set of private and public keys) in order to address this problem. I am not sure if chess.com has done that.

    Can we get some info on that?

  • 6 months ago

    diego_ma

    I just received an email from chess.com asking to update my credit card details. I did so and within a few minutes my bank notified of some suspicious activity from chess.com... should I worry? perhaps someone used the bug to have access to my account information and are phishing for my credit card details?

    This is serious. I'm just about to contact chess.com by other means.

  • 6 months ago

    machijv

    Thanks for letting me know!

  • 6 months ago

    LaughingCoffin

    Already did that.. But still, thanks ;)

  • 6 months ago

    Eugen

    I am not an expert in data security, but I would like to convey what experts say:

     Has this been done here on chess.com? Smile

    Here is the link on the whole article by Kaspersky experts about "Heartbleed" and what should ordinary users do: http://blog.kaspersky.com/heartbleed-howto/ 

  • 6 months ago

    Eugen

    Changing a password is easy. I hope no credit cards data was stolen.

  • 6 months ago

    Mulaton

    thanks saratonga

  • 6 months ago

    saratonga

    @Mulaton: Facebook recommends that you change your password.

  • 6 months ago

    Benzodiazepine

    Master_Kaina speaks truth

     

    I, personally, don't particularly care about this 'sploit.

     

    Seems like it's far more usable in the hands of three-letter-government agencies.

     

    Either way, 2 years is a long time to patch such a critical "out-of-bounds" issue. Who knows what other holes exist in OpenSSL and what kind of shit (features) exist for Microsoft or Apple implementations of SSL and generally in commonly used softwarez.

  • 6 months ago

    Mulaton

    I enter with my facebook acc, so are u recommending me to chance my facebook password?

  • 6 months ago

    Master_Kaina

    Simply more government/corporate abuse; code development,etc. is no exception ... Two years is a long time for this "Heart Bleed Bug" not to be noticed and/or publicly disclosed.

  • 6 months ago

    LaskerFan

    My credit card company has cancelled my old credit card and issued a new one, just to be safe.

  • 6 months ago

    Strobs88

    Hackers can take all my blunders and claim them for their own if that's what floats their boat.

  • 6 months ago

    iMacChess

    Like a lot of people I use my password several times every day. So changing it is no problem...

  • 6 months ago

    saratonga

    I am not extremely worried about my chess.com account, but also see no mention of rekeying ssl certificates. I was under the impression that one had to be revoked and reissued though. So thanks for that info...

  • 6 months ago

    j_rock

    First, unless someone hacked your account and dumped a bunch of games, I wouldn't worry. ;)  Secondly, there is "no evidence" anyones info was compromised because there wouldn't be. People could access without leaving a trail. Thirdly, among other things, I'm sure they re-keyed the SSL(s). I wouldn't worry at all. Not about your chess.com account, anyway.

  • 6 months ago

    saratonga

    My understanding is that RAM could be read with this exploit (64K at a time but as often as one wants). These pieces could then be put together to reveal (among other things) encrypted passwords and credit card data. However, the encryption key (private key of the server) also resides in RAM when used so it is possible that it was revealed. This would make it possible for an attacker to read any encrypted information with ease (as they have the private key).

    Now that chess.com is no longer vulnerable, the real question is: Is the ssl certificate going to be replaced with a new one (and a new key)? Because otherwise as long as this (potentially compromised) key is used, your information is not any more secure than it was yesterday.

  • 6 months ago

    mattwhpc

    I hope they hack my account. If they're smart enough to do that, I bet they'll probably play better chess than me.

Back to Top

Post your reply: