04-09-2014 10:56 AM
"translation" wrote:
When trying to access developer.oculus.com, you actually reached a server called *. Cloudfront.net. This may be due to a misconfiguration, but also more serious causes. Maybe a hacker tries to lure you to a fake and potentially dangerous version of developer.oculus.com. Do not proceed, especially if the alert has never before appeared on this website.
04-09-2014 11:03 AM
04-09-2014 11:10 AM
04-09-2014 11:30 AM
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
04-09-2014 11:35 AM
Detected server software of nginx/1.4.7
That server is known to use OpenSSL and could have been vulnerable.
The SSL certificate for developer.oculus.com valid 6 months ago at Oct 21 00:00:00 2013 GMT.
This is before the heartbleed bug was published, it may need to be regenerated.
What leaks in practice?
We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
04-09-2014 11:41 AM
04-09-2014 11:50 AM
"nalex66" wrote:
I've been checking sites that I have log-in info with using this tester: https://www.ssllabs.com/ssltest/index.html. Online banking sites, etc. have all come back clean. The only compromised sites I've used seem to be Oculus VR and Yahoo.
Oculus now tests as "not vulnerable to Heartbleed", but I read a story about Heartbleed earlier that specifically mentions Oculus VR as a compromised site.
04-09-2014 11:57 AM
04-09-2014 12:20 PM
04-09-2014 12:22 PM