April 10, 2014
by Justin Thomas

How We're Handling Heartbleed

simple guilloche

UPDATE 4/14/14: Simple’s mobile and web applications are now fully secured from any vulnerability to the Heartbleed exploit. We pushed an update to the Apple App Store and Google Play Store on Friday afternoon, April 11th. Simple customers should immediately update their mobile apps and change their passwords. Below is a record of our original response to Heartbleed.

By now, you’ve likely heard about the Heartbleed exploit. In case you haven’t: on April 7th, researchers discovered a flaw in OpenSSL, a piece of fundamental security software used by a broad range of companies and organizations across the globe. That flaw could allow an attacker to gain access to sensitive information stored in the memory of an affected system with just a basic network request.

To give an example, imagine this: a stranger comes up to you and says “hey, how are you?” If you were affected by Heartbleed, you might say “I’m fine,” and also include an unfiltered snippet of whatever you were thinking of at the moment—regardless of how sensitive it was. Each additional request would reveal a different piece of unrequested information. You can see how this could get dangerous.

Companies all across the web are responding to this security flaw. You may be wondering about the steps that Simple has taken in response, so I wanted to give you a bit more detail about how we’re working to keep your information safe.

How Simple Responded

Simple’s Security and Engineering teams actively monitor channels where such vulnerabilities are announced and discussed, and we quickly recognized the seriousness and severity of this issue. While we have no reason to believe (e.g., by monitoring for fraudulent attempts to access customer information or transfer funds) that this exploit was used to expose any sensitive Simple information or any data associated with any Simple customer, the risk associated with this flaw is significant, so we went into high gear to eliminate any potential exposure.

We immediately applied patches to our services that use OpenSSL. If you’re interested, you can verify the effectiveness of that action using a tool like this one. By applying the patches, we were able to ensure that Simple’s systems were no longer susceptible to the underlying flaw that permitted the Heartbleed exploit. We’ve also recreated the cryptographic certificates and underlying keys used by the previously vulnerable servers. A certificate is a file used to create an encrypted connection between a client (like a web or mobile app) and a server (where your data is stored). A certificate contains (among other data), public encryption keys, so in other words, we needed to generate new keys and get rid of the old ones to ensure that information is safe in the future. New certificates are in place on all of Simple’s servers, and we’re in the process of revoking the old certificates.

Remaining Work

Access to Simple on the web has been secured, however we have one outstanding challenge. Because we include components of our certificates within our mobile apps (an enhanced security mechanism known as “key pinning”), we also must publish updated Android and iOS clients to all of our customers before we can completely revoke the old certificates used by the servers that support those clients. Our developers are working quickly to publish those updates to the Apple App Store and the Google Play Store and we’re doing everything in our power to speed that process along.

Because we have no indication of increased fraudulent activity on customer accounts, we’ve made the decision to not disable access to Simple on mobile, as we did with customers using iOS 7.0.4 when a security flaw was identified recently. As part of our normal security protocol, we always monitor for unusual activity, suspicious transfers, and other indications that a user’s credentials or data may be compromised. That will of course continue.

Steps You Can Take

In the meantime, you can also take some measures to protect yourself. Because a successful attack would require access to your data while it’s in transit, we suggest that you use the mobile apps only on networks that you trust (e.g., don’t use public WiFi hot spots where Man-in-the-Middle attacks are more likely). Again, based on the information that we have today and the actions that we’ve taken thus far, we believe the risk to be minimal, but it’s always a good idea to only use networks you trust.

Once we’ve published updated Android and iOS applications and we’re able to revoke the certificates for the older mobile clients, we will be requiring that all customers update their mobile devices and then change their passphrases. Please watch for communication from us when we’re ready for you to take that step.

Thanks for reading, and please let us know on Twitter, Facebook, or Google+ if you have questions.