An anonymous reader writes:
They claim on their blog that they were not affected by Heartbleed unlike their competitor (LastPass) but in fact they were.
Going to https://agilebits.com/onepassw... and looking at the certificate issue date (4/10/2014) indicates they reissued it recently.
Additionally their own discussion forum admin admits they had to patch their OpenSSL on their website. http://discussions.agilebits.c...
So a malicious attacker could have stolen their main websites wild-card key and certificate to impersonate their website and trick people into downloading software with malware instead.
They were the same as LastPass in that user password data wasn't compromised, but LastPass was more transparent about it.
http://discussions.agilebits.c...
Hi @Quantumpanda,
Our website (agilebits.com) has been fixed with the patched version of OpenSSL, and is using a newly issued SSL certificate.
The forum (discussions.agilebits.com) does not use SSL (as you can see by looking at the URL, it's http), thus is not affected. With that said, we should be using SSL on the forum as well, and we're looking into it.
http://blog.agilebits.com/2014...