Jump to content

Sky Slate Blueberry Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate
Photo

Autohotkey OpenSSL Vulnerability



  • Please log in to reply
6 replies to this topic
Sanctus
  • Members
  • 283 posts
  • Last active: Dec 06 2014 04:05 PM
  • Joined: 30 Nov 2012

http://filippo.io/He...#autohotkey.com

 

Seems to be vulnerable

please take immediate action, so our passwords can be safe


Check out ALL My Scripts  ;)


tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Apr 19 2019 05:49 PM
  • Joined: 21 Dec 2007

heartbleed only affects the ability to decrypt tls/ssl encrypted traffic using a public and private key.

Since both autohotkey.com and ahkscript.org are both without tls encryption this bug is irrelivant. your data is always visible to port sniffers anyway

Im sure Poly shares my sentiment that if you wish to pony up the hundreds of dollars necessary to apply a certificate we would be willing to implement encryption that does not have this vulnerability

 

The sad truth is this. no https was always insecure. https was incorrectly assumed to be secure. 

Its the wild west of the internet days and even if heartbleed didnt exist its way to easy to steal your passwords anyhow.

but really why would someone WANT your AHK password. your not silly enough to use the same password for everything are you?


Never lose.
WIN or LEARN.

Sanctus
  • Members
  • 283 posts
  • Last active: Dec 06 2014 04:05 PM
  • Joined: 30 Nov 2012

heartbleed only affects the ability to decrypt tls/ssl encrypted traffic using a public and private key.

Since both autohotkey.com and ahkscript.org are both without tls encryption this bug is irrelivant. your data is always visible to port sniffers anyway

Im sure Poly shares my sentiment that if you wish to pony up the hundreds of dollars necessary to apply a certificate we would be willing to implement encryption that does not have this vulnerability

 

The sad truth is this. no https was always insecure. https was incorrectly assumed to be secure. 

Its the wild west of the internet days and even if heartbleed didnt exist its way to easy to steal your passwords anyhow.

but really why would someone WANT your AHK password. your not silly enough to use the same password for everything are you?

I am one of those people who have over 100 passwords and usually have to type about 10 before I remember the one I am using for that site,

But there are a lot of people that use the same password for many games and forums usually are the first place where the passwords get stolen from.

 

So this was more of a PSA rather then a plead for my own sake.


Check out ALL My Scripts  ;)


tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Apr 19 2019 05:49 PM
  • Joined: 21 Dec 2007
✓  Best Answer

Your started this thread asking to patch the openSSL bug codenamed "Heartbleed" good news!!! we dont have SSL or open SSL so there is no "HeartBleed". Wish Granted!!! B)  Your passwords have always been vulnerable to man in the middle attacks from this domain. :/  It appears SSL never actually offered any protection from this either :(  so luckily we havent wasted any money on SSL cert.  B)

 

So since there is no exploit to fix on this site then what are you asking to be done?


Never lose.
WIN or LEARN.

Sanctus
  • Members
  • 283 posts
  • Last active: Dec 06 2014 04:05 PM
  • Joined: 30 Nov 2012

Your started this thread asking to patch the openSSL bug codenamed "Heartbleed" good news!!! we dont have SSL or open SSL so there is no "HeartBleed". Wish Granted!!! B)  Your passwords have always been vulnerable to man in the middle attacks from this domain. :/  It appears SSL never actually offered any protection from this either :(  so luckily we havent wasted any money on SSL cert.  B)

 

So since there is no exploit to fix on this site then what are you asking to be done?

 

First off when I started checking out this Heartbleed bug and the filippo client to find vulnerable sites

I was just randomly checking sites that I know of for fun, ahk happened to come up as vulnerable

So I assumed that it was detecting if ahk was using openSSL for it to exploit, that it was then able to exploit

But since there has never been SSL on this site, this thread is just rather embarrassing  :shy:

 

At least it may serve as a PSA for some people that have the same password on many sites, so they understand that it is incredibly risky.


Check out ALL My Scripts  ;)


tank
  • Administrators
  • 4345 posts
  • AutoHotkey Foundation
  • Last active: Apr 19 2019 05:49 PM
  • Joined: 21 Dec 2007

At least it may serve as a PSA for some people that have the same password on many sites, so they understand that it is incredibly risky.

On that sir you and i agree


Never lose.
WIN or LEARN.

Chunjee
  • Members
  • 57 posts
  • Last active: Jan 13 2015 09:18 PM
  • Joined: 30 Nov 2012

Interesting discussion. Thanks.