The suggestion has been doing the rounds, at least at the more paranoid/self-fancying end of the technology spectrum, that the Commonwealth Bank of Australia (CBA)’s Netbank online banking platform might have been vulnerable to the Heartbleed vulnerability.
TL/DR: it wasn’t.
Heartbleed only hit sites that use certain versions of the OpenSSL secure toolkit, with its Heartbeat function enabled. Netbank runs on SAP for Banking, implemented by Accenture. SAP for Banking is not affected by Heartbleed, which you’d expect given that it runs on Microsoft IIS (“Microsoft” and “open” go together like anchovies and custard). This isn’t a great surprise: no major western-world banks’ online banking platforms were ever vulnerable, because of the massively proprietary, as well as security-crazy, way in which online banking software is developed.
So why all the derp? Well, CBA’s non-transactional Commbank.com.au website does use OpenSSL, was apparently vulnerable to Heartbleed, and was apparently patched after the Heartbleed news broke. You don’t use your Netbank credentials to log into Commbank, it isn’t linked to your secure data, and it uses a different security certificate from Netbank.
This created some scope for confusion – and the scope was fully brought to reality by the combination of utterly stupid PR people, and self-satisfied circle-jerking techies happy to spread unjustified fear among CBA customers.
CBA published a blog post that completely failed to explain the difference between the two platforms, and then responded to comments asking for clarification with a meaningless copy-paste of the original post. Rather than doing the basic research that went into my post here, a whole bunch of tech folk who should know better then went crazy with the “WE DON’T KNOW IF OUR NETBANK PASSWORDS ARE SAFE OR NOT, WOES!!!!!!” line.
Stop it. Your Netbank passwords are safe. Someone in CBA’s PR department needs a long walk off a short pier, is all.
(thanks very much to Johnny and Chris for pointing me towards technical details here. Any screw-ups in this post, of course, are solely my fault.)