Skip to content

Xero unaffected by OpenSSL issue

A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet, as well as by a small number of services that Xero uses. Xero has in no way been affected, and your data is safe. More information is available at the OpenSSL page which includes the Security Advisory.

The researchers who discovered this issue have given it the dramatic name of “Heartbleed”, which you may also see referenced in some news articles.

Steps Xero has taken

Any time there is a potential threat to Xero, we conduct a Security Incident process which includes investigating the potential impact to Xero and our customers.

  • The immediate step we took was to evaluate which Xero systems use OpenSSL, and whether they used the affected version. The majority of our environment does not use OpenSSL as we run predominantly Microsoft technologies. The sweep of our environment showed no servers or sites running the affected versions.

  • The second step was to evaluate which external systems we, or direct customers, use that may be vulnerable. The only vulnerable site identified was our Australian Partner ‘Toolkit’, which stores no customer data and does not allow users to log in. Our third-party hoster for that environment is August, and they admirably patched the issue within 30 minutes, for which we thank them. The Xero Toolkit site is no longer vulnerable.

As stated above, we have no reason to believe that any of Xero’s environment is affected by this OpenSSL issue. We count ourselves lucky in this case, as a lot of other SaaS providers haven’t been as fortunate.

What you can do

Even though your Xero account is not affected, it is good practice to regularly change your passwords that you use online, and to use a different password for each site that you use.

To protect you from other sites that you use being compromised, consider changing all your passwords for important services now, while it’s at the front of your mind.

To manage multiple passwords for different websites, so that you don’t have to remember them all, we recommend the use of a password manager such as KeePass.

What we will do next

While we don’t have any immediate actions needed to protect our users, we are looking at whether there are any further steps we can take to add additional protection. I’ll update this post later with any action we take as an outcome of this threat.

If you have any questions, please do not hesitate to contact me (Security Officer, Xero) via our support channel (support@xero.com).

 

 

Read more about Company News

 

20 comments

Benny
9 April 2014 #

“A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet”

OpenSSL is not used by two thirds of the Internet. You seem to be confused about market share of Apache+nginx. It’s still amazing that security of significant portion of the Internet is in hands of less than dozen of part-time developers.

Heather Smith
9 April 2014 #

Hi Kirk, is it OK to use the password manager Last Pass and recommend it to clients?

Kerry
9 April 2014 #

Where you not aware of this issue until it was unnounced publicly today?

Kirk Jackson
9 April 2014 #

Hi @Heather, there’s plenty of good password managers and lots of people use LastPass – so you should be fine.

Kirk Jackson
9 April 2014 #

Hi @Kerry, we became aware of it early Monday morning NZ time, around the same time the rest of the internet heard about it. A couple of large companies were involved with the security researchers co-ordinating the security fixes and disclosure process, but they did not make the issue public until yesterday.

Justin
10 April 2014 #

I’m going to take this opportunity to promote the Two Factor authentication discussion here: https://community.xero.com/business/discussion/1386112. I have this activated on almost ALL of my online accounts but for some reason Xero has been unwilling or unable to set it up. Guys, please… this would give us a huge feature to help protect our financial data from being attacked.

Justin

Thanks for that news, that can be a good news for frequent users of these machines. A simple password change can solve the problem.

Cassandra Scott
10 April 2014 #

@xero Thanks for the heads up. It wasnt until I saw your blog post that I heard about this. It was only after that, that I started seeing other information about this issue being made known.

One of the articles that I have read is that until you receive advice from your relevant software provider that they have resolved the issue (or are not affected by it as Xero have indicated), is that changing passwords is useless, as they will still be subject to the vulnerability.

Can you shed any insight into this?

Kirk Jackson
10 April 2014 #

Hi @Cassandra,

I’d agree with that advice.

However, if you use the same password on all the services you use across the internet, I’d recommend that now is a good time to pro-actively change your password on each service to something unique to that service. That means that if your password was breached on one site, at least all the other services you use on the internet won’t be able to be accessed with that password.

Kirk Jackson
10 April 2014 #

Hi @Justin,

I hear you and agree. We do plan to do it, and will keep that thread updated with our progress.

Interestingly, I don’t think 2FA would necessarily protect you against these OpenSSL issues, as the vulnerability was wider in scope than just the authentication process between a browser and web server. Still very desirable to have 2FA for other reasons, of course.

I will also add that we support Google login into Xero, which includes 2FA if you have it switched on – so if you use that mechanism to log in to Xero, you can use your regular Google Authenticator.

Nigel
10 April 2014 #

Hi Kirk. Using two factor authentication via Google sounds interesting. Please can you provide or link to more information? Thanks.

Kirk Jackson
10 April 2014 #

Hi @Nigel,

Here’s a link to our help that will guide you through setting up Google SSO. Once you’ve done that, you can change your Xero password to something complex, and store it in your password safe, and never need to use it again.

Tim Ackers
10 April 2014 #

Hi @ Heather
Lastpass confirm that they are not vulnerable:
http://blog.lastpass.com/2014/04/lastpass-and-heartbleed-bug.html

Jerry Zhao
11 April 2014 #

good to know that! they are all over the news…

John Chen
14 April 2014 #

Great news that action has been taken against this.

Fraser
15 April 2014 #

Xero is in no way affected? But you guys sure use OpenSSL for your API?

http://developer.xero.com/documentation/advanced-docs/public-private-keypair/

Assuming this has been patched already or using earlier versions without this security flaw?

Kirk Jackson
15 April 2014 #

Hi @Fraser,

Sorry for the confusion.

On the Developer Centre documentation page you refer to, our recommendation to use OpenSSL is just for the creation of application certificates.

Essentially, this is a completely different tool that’s a part of the same OpenSSL family of utilities, and is not related to the usage of OpenSSL that has had the issues identified recently.

The “Heartbleed” bug does not affect the generation of public / private keypairs, and it’s perfectly safe to continue generating your keys in this manner.

I hope that clears things up!

Fraser
16 April 2014 #

Thanks for the explanation Kirk!

Keep it up!

Roger
18 April 2014 #

Thank you for the update. Quick question: We accept payments through online invoicing and Stripe integration. I noticed that Stripe may have been affected. It’s my understanding that the communication between Stripe payments on our online invoicing is channeled through Xero’s SSL and not Stripe’s, so it shouldn’t be an issue. But, could someone please confirm how that integration works exactly? A few of our clients are asking about our payment systems, and I’d like to follow Xero’s lead and write a quick blog post about it on our website.

Thanks in advance,

Roger

Kirk Jackson
18 April 2014 #

Hi @Roger,

Stripe works a bit differently than you might expect:

The user opens the Xero online invoicing link in their browser and views the invoice.
If they choose to pay, javascript in their browser communicates their credit card details directly from their browser to Stripe. All Xero’s server see is the token that Stripe returns in response, which indicates success or failure.

We use the “Custom Forms” Stripe integration pattern, although we built a nice Xero user interface on top:
https://stripe.com/docs/tutorials/forms

Stripe have written up details of their response to Heartbleed on their blog:
https://stripe.com/blog/heartbleed

I hope that helps with your own blog post!

Add your comment





We welcome all feedback but prefer a real name and email address.