Heartbleed vulnerability

ngoni

After running Bluebox Heartbleed Scanner, it reports MPQ is using OpenSSL version 1.0.1e with heartbeats enabled. This means it is vulnerable to reverse heartbleed attacks. I guess I'll wait to make any more IAP until this gets fixed.

_RiO_

And now I wonder if this also affects the PC version.

Developers, some comment please? Is the PC version of the game 'safe' or does it also use a compromised OpenSSL library?

Unknown

That's pretty important. Did You send a ticket to CS already?

ngoni

Yeah I sent in a ticket and the issue has been added to their 'todo' list.

_RiO_

ngoni wrote:

Yeah I sent in a ticket and the issue has been added to their 'todo' list.

[...] Seriously?

Here we have one of the biggest security hazards of these past years to rear its head on the web. Renowned security experts are going so far as to state that "on a scale of 1 to 10, this is an 11".
Oh, but don't worry! The issue "has been added to the 'todo' list" to be patched.

No! No! No! You should bloody damn well roll out a zero-day hotfix patch for this! Rip out the compromised version of OpenSSL, replace it with a patched version and ship it! If you've got a version control system with tagged stable releases, then this should be a cake and should be feasible to rush through in under a day. You don't have time to bundle this with other patches and a full run of QA-testing; you're dealing with a damned zero-day exploit in the wild that is easily usable by damn near any script kiddie and wannabee hacker on the planet by now. The fact that you may break aspects of the game with a hotfix patch should take a very, very firm backseat to the fact that you are taking responsibility to preserve the safety and integrity of your customers' systems!

Unknown

I think this is important. It wouldn't be funny if something happened.

ngoni

r51 out and heartbeats still enabled on the android client.