

Mint won't give a clear answer about Heartbleed - swandog46
https://satisfaction.mint.com/mint/topics/a_definitve_answer_on_whether_mint_was_ever_affected_by_heartbleed
https:&#x2F;&#x2F;satisfaction.mint.com&#x2F;mint&#x2F;topics&#x2F;is_mint_com_secured_and_recovered_from_the_heartbleed_bug
======
Eyas
What is unclear about the response: "As indicated, our engineers have verified
Mint is not affected by "Heartbleed." Password resets and re-issuing of SSL
certificates are not required at this time."

It seems that they are saying either (a) they are not using OpenSSL, or (b)
they were using a version of OpenSSL without the vulnerability. Is there
anything wrong with assuming that given their statements?

~~~
catshirt
"is not affected" being the operative wording. users want to know if their
data _has ever_ been at risk. still, surely everyone can just assume it was
affected, act accordingly, and move on?

~~~
gelatocar
Except in this case, seeing as it seems that Mint hasn't got new ssl certs or
private keys, the only way to 'act accordingly' is to never use the service
again.

~~~
LocalPCGuy
Or they were never vulnerable, which is likely given what has been dug up
about their tech stack.

------
tghw
It's poor customer service, but according to
[https://github.com/musalbas/heartbleed-
masstest/tree/master/...](https://github.com/musalbas/heartbleed-
masstest/tree/master/scans), they were not vulnerable when the first mass
scans were done. That's not definitive, but it's at least somewhat reassuring.

------
tszming
netcraft shows mint.com is using f5 BigIP, if they terminate SSL using BigIP
and should not be affected: [https://devcentral.f5.com/articles/openssl-
heartbleed-cve-20...](https://devcentral.f5.com/articles/openssl-heartbleed-
cve-2014-0160#.U03iFuaSy0Y)

~~~
LocalPCGuy
This needs to be the top comment.

------
lugg
What a bunch of fud.

> You say there's no evidence that customer data was affected, but the
> heartbleed bug leaves no logs, so that is not re-assuring at all

Well, if they're looking for people making use of the data received by the
exploit that _is_ re-assuring..

> You've said before that Mint servers are being updated, which suggests that
> it was exposed. If this is the case, have you gotten new SSL certificatess?
> (this is extremely important see next point)

Almost everyone was exposed. I'd like to know they have a new ssl cert too but
not because of why you want them to.

> Even if I take a personal precaution and change my Mint and bank account
> passwords, if a hacker stole your cert at any time and you haven't gotten a
> new one, all my accounts are STILL vulnerable no matter how many times I
> change the password. This is because they basically have a permanent back
> door into Mint until you get a new SSL cert.

No, no they don't I don't think you understand ssl at all.

> Basically, if you don't answer the following questions, we have no choice
> but to STOP USING MINT FOREVER in order to secure ourselves. 1. Was Mint
> EVER vulnerable to the heartbleed bug (which has existed for 2 years) 2. If
> so, has the SSL cert been revoked and a new one acquired?

Good, stop using it, you're taking up security analyst resources to answer
your stupid questions instead of letting them make sure everything is solid.

------
epaga
The latest (and final) response Mint gave, 2 hours after this hit the HN front
page, is: "I'm terribly sorry for the delay in circling back to this topic. I
can confirm that Mint was using a version of OpenSSL that was never vulnerable
to Heartbleed."

Seems cleared up. Goes to show yet again, due to the massive traffic it
causes, HN continues to be useful as a customer complaint center for egregious
cases...

~~~
err4nt
Which is the same as their first official response to the thread further up
the page too!

------
deelowe
Typical mint. Their customer service has been terrible ever since they sold to
intuit. I love the service, but the company is terrible.

------
adamrneary
The absence of a clear response indicates to me that the brass is currently
weighing the pros and cons of admitting there was a problem. This is the sort
of thing where those who really weren't affected get way out ahead of this
sort of thing with vivid detail. I deleted my account.

------
sadris
Seems reasonable, we didn't have to update anything as Centos 5 was using an
earlier version without the bug.

------
jameshk
They should at least give us some more info, like which openssl version their
running (if they use openssl)

~~~
Karunamon
That's probably not a great idea - it just instantly confirms them as a viable
future target if a bug in that particular version comes up with a hole in it
later.

I'm personally okay with "We were not affected by the bug" \- random internet
people shouldn't have details on the software your company runs internally.
One more thing for a potential bad guy to exploit.

Besides, if they'd be willing to lie about being affected, they'd be willing
to lie about using a particular version of software, so nothing gained
anyways.

~~~
ryan_j_naughton
I agree that they shouldn't publicize which specific other versions of openssl
they use/used, but they should be much more forthcoming about what systems
(and potentially keys) in their architecture were affected and what data such
systems had.

For instance, at my work, we very explicitly said that only two internal
systems, our wiki and our issue tracking system, used that version of openssl.
Those systems had no user data and had a different set of certs. It is
essential to give details.
[http://blog.taximagic.com/heartbleed/](http://blog.taximagic.com/heartbleed/)

------
notastartup
I still get email from Mint time to time but I've disconnected my bank
account. It just didn't feel right, giving away such a crucial information
when the local bank already provides means to check your financials. Do I
really need to know minute by minute my spendings? Am I spending so fast and
so much that I have to watch for my account being emptied on a third party app
that is granted access to such intimate data?

------
the_ancient
Intuit Not giving a Strait answer, next you will tell me water is wet...

Go try to read some some of their dev docs.... I do not believe anyone in the
company can give clear and concise responses to anything.

------
KB1JWQ
Just deleted my Mint account; if they're not going to be transparent around
this, I flat out can't trust them with my financial information.

~~~
uptown
If you can't trust them with your financial information, how can you trust
that they actually deleted your account?

~~~
KB1JWQ
Fair question. Time to rotate my bank passwords too...

