How does "Heartbleed" affect my use of LogMeIn?
OpenSSL, the platform where approximately two thirds of the internet operates, was vulnerable to an external security attack being commonly referred to as "Heartbleed". Some LogMeIn services and products rely on OpenSSL, including LogMeIn Pro and LogMeIn Free, so we took this threat very seriously and acted immediately to address the issue.
We have updated the LogMeIn host software and related services to close the vulnerability. Prior to this update, the username and password of the host Windows or Mac computer was potentially vulnerable to an attack during a remote session.
In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our users, and will provide additional product-specific updates if necessary.
What actions can I take to protect myself from vulnerability related to the "Heartbleed" bug and my use of LogMeIn?
- Check to confirm you're running on the latest version of LogMeIn. You can do that by hovering your mouse over computers in your Central or My Computers page on the LogMeIn.com site OR by right clicking on the LogMeIn icon in your systems tray and opening LogMeIn Control Panel and click the About tab.
Confirm version number 220.127.116.1144 or higher for Windows or version number 18.104.22.16845 or higher for Mac
- Change your Windows PCs or Macs passwords - This is the password for your computer login credentials.
- If you do not have a Windows PC or Mac password, then change your Computer Access Code. Follow this link to change your Computer Access Code
- Change your Personal Password if using one for added-security. If you do not currently use the additional safety measure of a Personal Password, it's something you can add from the host computer:
- Right click the LogMeIn icon in your systems tray and opening LogMeIn Control Panel
- Click Options.
- Click Preferences.
- Click the Security tab.
- Create/change your Personal Password.
Why wasn't I prompted to run the update?
Updates are commonly pushed out automatically without the need for the user to run the update or delay the user from having this update in place for added security.
If a user decided to disable the auto-update feature, then they will need to manually check for update by following these steps from the host computer:
- Right clicking on the LogMeIn icon in your systems tray and opening LogMeIn Control Panel and click the About tab.
- Click About tab.
- Click Check for Updates and follow subsequent steps to run the update
How does "Heartbleed" affect my use of LogMeIn Ignition for Windows (LogMeIn Client), LogMeIn Ignition for Mac (LogMeIn Client), or LogMeIn apps for iOS and Android?
Our LogMeIn Ignition/Client desktop application and our LogMeIn mobile apps rely on OpenSSL. As a result, a potential risk of vulnerability to host computers is similar to the risk if someone is using a browser for remote sessions. While the Client (application) uses OpenSSL, there is not a risk of vulnerability on the client end, as it is not exploitable by the heartbleed bug.
What can I check on my end to see if my information was compromised?
Unfortunately, there are no log entries or visible evidence that can be found by the user to determine definitively that their data has been compromised.
Are there certain features that create additional risk to this vulnerability?
File sharing - it is always recommended to take caution when using the file sharing feature with documents that contain any sensitive information. File sharing through LogMeIn Pro generates a URL that does not require authentication by the recipient. If an attacker were to intercept a file sharing URL prior to our recent updates, they would have access to the contents of that shared file. It is recommended to remove any shared file links that were shared prior to the recent version update (version 22.214.171.12444 or higher for Windows and version 126.96.36.19945 or higher for Mac).
What was done in the recent update to the LogMeIn software to protect me?
We've updated the LogMeIn host and related services to close the vulnerability.
In addition, our security team continues to perform a rigorous diagnostic investigation to ensure the protection of our services and our users, and will provide additional product-specific updates if necessary.
Do you implement Forward Secrecy?
Yes. LogMeIn, Cubby and join.me hosts use Forward Secrecy for their communications.