Update: BlackBerry responded with the following statement:
BlackBerry is investigating the issue, and if our products are affected, we will take any action needed to ensure customers are protected.
Apparently, with all the security talks around these days, there is this one big vulnerability that was left hanging. The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. This means that most of the servers, which deploys SSL certificates and is using the OpenSSL technology are likely to be vulnerable – PayPal, your bank, shopping sites etc.
Apparently, this bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. only OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
This also means that if BlackBerry has not updated their servers recently, the chances of the encryption keys being stolen is very high. The leaked or stolen secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption can be hence, bypassed. According to OurBerries, BlackBerry still uses version 1.0.1e which is clearly vulnerable.
Has BlackBerry patched the servers yet? Will the OpenSSL support on BlackBerry 10 be updated to version 1.0.1g? We have reached out to BlackBerry and are waiting for their response.
Note: Apparently BES is not affected.