Heartbleed: Impact and Response from Urban Airship

Heartbleed is the popular name for a security 
vulnerability recently discovered in the OpenSSL library, which is used to encrypt and decrypt traffic for most websites and services, including those at Urban Airship. A lot of information has been published on this vulnerability:

Official Open SSL Security Notice
Heartbleed website
AWS Security Bulletins
Visual overview
Detailed overview
Cloudflare Challenge (A challenge to exploit the vulnerability)

The proprietary services that power our messaging and our customer-facing web front end at go.urbanairship.com were not vulnerable to Heartbleed. However, we do rely on Amazon Web Service (AWS) Elastic Load Balancer for some of our services, and AWS was impacted. The Urban Airship services that use AWS include Digital Wallet and documentation.

We have investigated and found no evidence that any customer data, encryption keys or other sensitive information was exposed through this vulnerability.

To mitigate the risk of this vulnerability, we have taken broad action to patch potentially vulnerable systems and reset any secrets or sessions which could have been exposed. We are in the process of revoking our previous certificate and will be complete this weekend. We will update this blog post when this work is complete.

By early May we were finally able to confirm that our certificate authority revoked our previous certificates and issued new ones (nothing like an unanticipated processing delay that you have no control over no matter how loud you shout).

Digital Wallet customers can now reset  passwords. To do so, log into your account and click "Account", then  "Account Details", then "Edit", then fill in "New Password" and "Current Password". In an abundance of caution, customers may want to reset their password on go.urbanairship.com as well. To reset your password, log into your account and click "Account", then "Account Info", then "Change Password". You'll be prompted for your existing and new passwords. If you have reset your login credentials and wish to take the additional precaution of changing application-level credentials, please contact support@urbanairship.com.

All of us at Urban Airship take security extremely seriously. We will continue to make changes to minimize our exposure to such attacks, and keep all of our customers informed when incidents such as this one occur.

If you are an Urban Airship customer and have any questions or concerns, please contact support@urbanairship.com.
If you are a security professional and wish to contact Urban Airship Security, please contact security@urbanairship.com. See also http://urbanairship.com/full-disclosure-security-policy