iOS, OS X and key iCloud services not affected by Heartbleed, Apple confirms

By , Apr 10, 2014

Heartbleed logo

If you’ve as much as glanced at what’s your inbox lately, chances are you’ve encountered messages in which your favorite apps and services announce emergency password resets in the wake of Heartbleed, a nasty bug that’s attacking millions of websites. And unless you’ve been sleeping under a rock for the past week, you must be aware by now that a shockingly high number of websites are at risk.

The latest security scare stems from a devastating flaw in the OpenSSL software many websites use to authorize login sessions and encrypt and transmit user data. Long story short, the exploit allows attackers to easily scoop up the website’s encryption keys, passwords and user content, prompting tons of emergency password resets by some of the Internet’s most popular services.

But what about your Apple ID? Have the keys to your account in the Apple cloud been compromised? How about iCloud or the App Store? According to an Apple spokesperson, its iOS and OS X platforms are protected against Heartbleed. Do I hear a collective sigh of relief?

An Apple spokesperson told Re/code:

Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.

This is great news, even more so realizing Google, Yahoo and Facebook’s admission that their own services could have been susceptible to the Heartbleed flaw. To reiterate, your Apple ID, iCloud email, data synced between devices through iCloud, App Store credentials and other Apple services you use are not at risk.

This is because Apple deprecated OpenSSL on OS X in December 2012.

According to this AskDifferent thread, Apple provides several alternate APIs that provide SSL to Mac developers and has this to say about OpenSSL:

OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.

The extent of the repercussions stemming from Heartbleed is potentially mind-blowing. Case in point: Mint.com just confirmed it’s been exposed to Heartbleed and warned that the exploit may have potentially exposed user bank passwords.

According to security expert Bruce Schneier, the Heartbleed vulnerability indeed is “catastrophic.”

“On the scale of 1 to 10, this is an 11,” he wrote in a blog post this week.

1986
Joy of Tech‘s take on Heartbleed.

How can you ensure that Heartbleed hasn’t compromised your numerous credentials used across a bunch of websites and online services? For starters, use strong passwords and avoid at all cost using the same password across different websites.

I keep all my passwords in 1Password, an excellent password-management software for iOS and OS X. In addition to keeping all my passwords, accounts, notes and other private data safe inside its encrypted vault, there’s an in-app browser I use whenever I need to log in to sites like eBay, PayPal, Google and so forth.

Apple’s own Safari password generator is helpful, too, especially used in conjunction with the iCloud Keychain feature that securely syncs your web passwords across Mac and iOS devices without storing them in iCloud.

Note that changing passwords won’t do much unless the companies have updated their compromised OpenSSL security software. Because of this, you’re better off changing passwords only for the service that have confirmed updating their security software and encouraged users to change their passwords.

For an overview of how Heartbleed works, check out an information article on Yahoo Tech. I also suggest a detailed look into Heartbleed and how it was the biggest secret in the world for about a week over at The Verge.

You may also want to check out Business Insider’s interview with one of the engineers who uncovered Heartbleed. While you’re at it, don’t forget to consult Mashable’s list of the Heartbleed-vulnerable passwords you need to change right now.

And lastly, use this Heartbleed web tool to test if your favorite website or online services has been compromised by the vulnerability.

  • Share:
  • Follow:
  • Anthony Snyder

    Good stuff!

  • Fırat Çiftçi

    So which major websites are effected from this bug?

    • ✪ aidan harris ✪

      Yahoo (was)…

    • Rowan09

      Gmail and Google

      • ✪ aidan harris ✪

        Wasn’t it Google that discovered the bug? If it was then they were likely unaffected since they probably patched their stuff before sharing the bug with the world…

      • Rowan09

        I went on the website and it showed who was affected. I never heard of Google discovering the bug, but it’s been around since March of 2012. It doesn’t mean they stole data just that they were vulnerable.

  • TheShade247

    How is iDownloadblog doing with security?

    • ✪ aidan harris ✪

      AFAIK no sensitive data is exchanged at all between the user and them (so ssl / tls is not required) although like most sites they do use analytics and advertisements that may track you through the use of cookies / local storage…

      • TheShade247

        So if person uses adblock would that help?

      • ✪ aidan harris ✪

        Advertisements aren’t exactly dangerous but they can (and do) track you with tracking cookies. Adblock generally doesn’t prevent this unless it actually outright blocks the advertisements (most don’t they simply just hide the HTML element that is displaying the advertisement). I would recommend using a browser add-on called Ghostery which lets you see all of the tracking cookies, analytics, advertisements, etc that are on a website and then block them should you desire to do so…

  • At

    I read something earlier that said apple updated their servers last month and if you haven’t changed your password since then to do so now. I changed mine so better safe than sorry.

  • David Gitman

    thanks for the info

  • Kamal Ahmad

    I just got a notification from Disqus that Disqus engineering has patched heartbleed. So Disqus is safe.

  • felixtaf

    Dont be stupid. Many Disqus accounts are linked with facebook or twitter. So bug in ur disqus account will affect your fb and twitter accounts too!

  • Seashell

    Note to self: never use open source code where security is involved.

    • No_Kneejerk

      The heartbleed bug didn’t happen because OpenSSL is open source. One has nothing to do with the other. Closed source software is just as likely to have security flaws. In fact, Apple recently released a buggy version of SSL in both OS X and iOS. Took them a few days to release a fix.

      • Seashell

        Can you be certain heartbleed wasn’t introduced intentionally? My point is that opensource code is open to malice.

  • http://www.augustasoftsol.com/ matthew

    i think it wont affect any of website .. if is so can u explan how it will ???

  • No_Kneejerk

    So Apple doesn’t use OpenSSL in their operating systems and services. That doesn’t mean it can’t be introduced by software installed on those systems. Does anyone know if they allow iOS developers to include OpenSSL libraries in their apps in the App Store? I’ve come across websites with instructions for compiling OpenSSL for iOS apps. And OS X being based on BSD unix means it’s definitely possible to include OpenSSL in software.