Xero unaffected by OpenSSL issue

A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet, as well as by a small number of services that Xero uses. Xero has in no way been affected, and your data is safe. More information is available at the OpenSSL page which includes the Security Advisory.

The researchers who discovered this issue have given it the dramatic name of “Heartbleed”, which you may also see referenced in some news articles.

Steps Xero has taken

Any time there is a potential threat to Xero, we conduct a Security Incident process which includes investigating the potential impact to Xero and our customers.

  • The immediate step we took was to evaluate which Xero systems use OpenSSL, and whether they used the affected version. The majority of our environment does not use OpenSSL as we run predominantly Microsoft technologies. The sweep of our environment showed no servers or sites running the affected versions.

  • The second step was to evaluate which external systems we, or direct customers, use that may be vulnerable. The only vulnerable site identified was our Australian Partner ‘Toolkit’, which stores no customer data and does not allow users to log in. Our third-party hoster for that environment is August, and they admirably patched the issue within 30 minutes, for which we thank them. The Xero Toolkit site is no longer vulnerable.

As stated above, we have no reason to believe that any of Xero’s environment is affected by this OpenSSL issue. We count ourselves lucky in this case, as a lot of other SaaS providers haven’t been as fortunate.

What you can do

Even though your Xero account is not affected, it is good practice to regularly change your passwords that you use online, and to use a different password for each site that you use.

To protect you from other sites that you use being compromised, consider changing all your passwords for important services now, while it’s at the front of your mind.

To manage multiple passwords for different websites, so that you don’t have to remember them all, we recommend the use of a password manager such as KeePass.

What we will do next

While we don’t have any immediate actions needed to protect our users, we are looking at whether there are any further steps we can take to add additional protection. I’ll update this post later with any action we take as an outcome of this threat.

If you have any questions, please do not hesitate to contact me (Security Officer, Xero) via our support channel (support@xero.com).



April 9, 2014 at 7:35 pm

“A security flaw has been discovered in the popular OpenSSL cryptographic software library that is used by up to two thirds of the internet”

OpenSSL is not used by two thirds of the Internet. You seem to be confused about market share of Apache+nginx. It’s still amazing that security of significant portion of the Internet is in hands of less than dozen of part-time developers.

Heather Smith
April 9, 2014 at 8:31 pm

Hi Kirk, is it OK to use the password manager Last Pass and recommend it to clients?

Kirk Jackson in reply to Heather Smith
April 9, 2014 at 9:58 pm

Hi @Heather, there’s plenty of good password managers and lots of people use LastPass – so you should be fine.

April 9, 2014 at 8:42 pm

Where you not aware of this issue until it was unnounced publicly today?

Kirk Jackson in reply to Kerry
April 9, 2014 at 10:00 pm

Hi @Kerry, we became aware of it early Monday morning NZ time, around the same time the rest of the internet heard about it. A couple of large companies were involved with the security researchers co-ordinating the security fixes and disclosure process, but they did not make the issue public until yesterday.

April 10, 2014 at 9:42 am

I’m going to take this opportunity to promote the Two Factor authentication discussion here: https://community.xero.com/business/discussion/1386112. I have this activated on almost ALL of my online accounts but for some reason Xero has been unwilling or unable to set it up. Guys, please… this would give us a huge feature to help protect our financial data from being attacked.


Kirk Jackson in reply to Justin
April 10, 2014 at 12:30 pm

Hi @Justin,

I hear you and agree. We do plan to do it, and will keep that thread updated with our progress.

Interestingly, I don’t think 2FA would necessarily protect you against these OpenSSL issues, as the vulnerability was wider in scope than just the authentication process between a browser and web server. Still very desirable to have 2FA for other reasons, of course.

I will also add that we support Google login into Xero, which includes 2FA if you have it switched on – so if you use that mechanism to log in to Xero, you can use your regular Google Authenticator.

income tax specialist rancho cucamonga
April 10, 2014 at 10:00 am

Thanks for that news, that can be a good news for frequent users of these machines. A simple password change can solve the problem.

Cassandra Scott
April 10, 2014 at 12:17 pm

@xero Thanks for the heads up. It wasnt until I saw your blog post that I heard about this. It was only after that, that I started seeing other information about this issue being made known.

One of the articles that I have read is that until you receive advice from your relevant software provider that they have resolved the issue (or are not affected by it as Xero have indicated), is that changing passwords is useless, as they will still be subject to the vulnerability.

Can you shed any insight into this?

Kirk Jackson in reply to Cassandra Scott
April 10, 2014 at 12:23 pm

Hi @Cassandra,

I’d agree with that advice.

However, if you use the same password on all the services you use across the internet, I’d recommend that now is a good time to pro-actively change your password on each service to something unique to that service. That means that if your password was breached on one site, at least all the other services you use on the internet won’t be able to be accessed with that password.

April 10, 2014 at 2:24 pm

Hi Kirk. Using two factor authentication via Google sounds interesting. Please can you provide or link to more information? Thanks.

Kirk Jackson in reply to Nigel
April 10, 2014 at 3:04 pm

Hi @Nigel,

Here’s a link to our help that will guide you through setting up Google SSO. Once you’ve done that, you can change your Xero password to something complex, and store it in your password safe, and never need to use it again.

Jerry Zhao
April 11, 2014 at 6:13 pm

good to know that! they are all over the news…

John Chen
April 14, 2014 at 11:12 am

Great news that action has been taken against this.

Kirk Jackson in reply to Fraser
April 15, 2014 at 3:31 pm

Hi @Fraser,

Sorry for the confusion.

On the Developer Centre documentation page you refer to, our recommendation to use OpenSSL is just for the creation of application certificates.

Essentially, this is a completely different tool that’s a part of the same OpenSSL family of utilities, and is not related to the usage of OpenSSL that has had the issues identified recently.

The “Heartbleed” bug does not affect the generation of public / private keypairs, and it’s perfectly safe to continue generating your keys in this manner.

I hope that clears things up!

April 16, 2014 at 11:35 am

Thanks for the explanation Kirk!

Keep it up!

April 18, 2014 at 6:04 am

Thank you for the update. Quick question: We accept payments through online invoicing and Stripe integration. I noticed that Stripe may have been affected. It’s my understanding that the communication between Stripe payments on our online invoicing is channeled through Xero’s SSL and not Stripe’s, so it shouldn’t be an issue. But, could someone please confirm how that integration works exactly? A few of our clients are asking about our payment systems, and I’d like to follow Xero’s lead and write a quick blog post about it on our website.

Thanks in advance,


Kirk Jackson in reply to Roger
April 18, 2014 at 7:54 am

Hi @Roger,

Stripe works a bit differently than you might expect:

The user opens the Xero online invoicing link in their browser and views the invoice.
If they choose to pay, javascript in their browser communicates their credit card details directly from their browser to Stripe. All Xero’s server see is the token that Stripe returns in response, which indicates success or failure.

We use the “Custom Forms” Stripe integration pattern, although we built a nice Xero user interface on top:

Stripe have written up details of their response to Heartbleed on their blog:

I hope that helps with your own blog post!

Leave a Reply

Your email address will not be published. Required fields are marked *

Supporting She# and its mission to encourage women into tech

The tech industry in general suffers from a lack of women entering tech related study areas, many factors contribute to this. Xero has been working with She# this year to help educate women from high schools, university and industry about the opportunities available to them in the tech industry. She# believes the gender imbalance we ...

Xero announces entrepreneur scholarship for UK students

We know what it’s like to be a startup; we were one. That’s why we’re excited to launch the new Xero Entrepreneur Scholarship, designed to help UK students afford the rising cost of education and help them along the road to success on their entrepreneurial journey. We’re offering a £2,000 scholarship, mentoring, subscription to Xero ...