Heartbleed: Impact and Response from Urban Airship
Published on 14 May 2014
Heartbleed is the popular name for a security vulnerability recently discovered in the OpenSSL library, which is used to encrypt and decrypt traffic for most websites and services, including those at Urban Airship. A lot of information has been published on this vulnerability:
The proprietary services that power our messaging and our customer-facing web front end at go.urbanairship.com were not vulnerable to Heartbleed. However, we do rely on Amazon Web Service (AWS) Elastic Load Balancer for some of our services, and AWS was impacted. The Urban Airship services that use AWS include Digital Wallet and documentation.
We have investigated and found no evidence that any customer data, encryption keys or other sensitive information was exposed through this vulnerability.
To mitigate the risk of this vulnerability, we have taken broad action to patch potentially vulnerable systems and reset any secrets or sessions which could have been exposed.
We are in the process of revoking our previous certificate and will be complete this weekend. We will update this blog post when this work is complete.
By early May we were finally able to confirm that our certificate authority revoked our previous certificates and issued new ones (nothing like an unanticipated processing delay that you have no control over no matter how loud you shout).
Digital Wallet customers can now reset passwords. To do so, log into your account and click "Account", then "Account Details", then "Edit", then fill in "New Password" and "Current Password". In an abundance of caution, customers may want to reset their password on go.urbanairship.com as well. To reset your password, log into your account and click "Account", then "Account Info", then "Change Password". You'll be prompted for your existing and new passwords. If you have reset your login credentials and wish to take the additional precaution of changing application-level credentials, please contact firstname.lastname@example.org.
All of us at Urban Airship take security extremely seriously. We will continue to make changes to minimize our exposure to such attacks, and keep all of our customers informed when incidents such as this one occur.
If you are an Urban Airship customer and have any questions or concerns, please contact email@example.com.
If you are a security professional and wish to contact Urban Airship Security, please contact firstname.lastname@example.org. See also http://urbanairship.com/full-disclosure-security-policy