My Heart Bleeds for SurveyMonkey… Not

SurveyMonkey*, a popular free site for creating online surveys, is playing fast and loose with the truth about their exposure to the Heartbleed vulnerability.

As far as I can put the pieces together, they were indeed running the broken version of OpenSSL before this week’s public disclosure of Heartbleed, and they quickly patched their computers with the fixed version. They also sent e-mail to their user base, advising everyone to change passwords, which, while not an admission, is certainly a strong hint that users’ passwords may have been exposed.

What they won’t admit is that, for who-knows-how-long, their data was also at risk of exposure. By “their” data, I mean your and my and all their other users’ surveys and survey results. Probably not a big deal to many users, but certainly something you would expect a service provider to be honest about.

I tried to get a straight answer from them, but they refused to give one. Posted below is the e-mail conversation I had with them yesterday. While I don’t have a final answer from them yet, it appears unlikely I will get one. The support person, Ian, offers at the end to take my question to the technical team on Monday. But no technical person will be able (permitted) to answer my question any more clearly than Ian.  The decision to fudge their answer came from Marketing/Communications, and the decision to stop fudging will have to come from there too.

I can’t tell you what you should do, dear reader, but you deserve at least to have accurate information when you’re deciding whether to trust a web site with your data.

_______________

* SurveyMonkey link: https://www.surveymonkey.com/



Date: Fri, 11 Apr 2014 17:33:00 -0700
To: (me and all the other SurveyMonkey users)
From: “SurveyMonkey” <surveymonkey@go.surveymonkey.com>
Subject: SurveyMonkey Heartbleed Security Update

Dear SurveyMonkey Customer,

On April 7, 2014, researchers disclosed a vulnerability in a technology called OpenSSL that powers encryption across much of the internet. The vulnerability is commonly known as the “OpenSSL Heartbleed Flaw.”

Our team took immediate action to secure SurveyMonkey’s infrastructure against this flaw. We closed any exposure that might have existed and wanted to let you know that SurveyMonkey is not vulnerable to the Heartbleed flaw.

Although we have no reason to believe that any part of our service has been improperly accessed due to this vulnerability, as a matter of best practice we would like to recommend that all our customers reset their passwords. To reset your password, visit My Account and change your password in the Login Details section of your Account Page.

Thank you for being a great customer. Happy surveying!
The SurveyMonkey Team


 

From: (me)
Sent: 4/11/2014 8:30 PM
To: support@surveymonkey.com
Subject: OpenSSL Heartbleed vuln

Your e-mail to users doesn’t actually say whether you were vulnerable to the Heartbleed exploit in the past — it only says you took immediate action and are not vulnerable now. Were you at any time running a vulnerable version of OpenSSL (1.0.1 through 1.0.1f) on any of your public-facing servers? Please give me a straight answer — I admin servers for a living, and I don’t suffer FUD gladly. Thanks,


 

From: support@surveymonkey.com
Date: 4/12/2014 12:06 AM
To: (me)
Subject: Re: OpenSSL Heartbleed vuln [ ref:_00D301HuKJ._50030Tmot8:ref ]

Hi ,

We promptly did a thorough assessment of our site to resolve any exposure that might have existed and are happy to let you know that SurveyMonkey is no longer at risk to the Heartbleed flaw. We have no reason to believe that any part of our service was improperly accessed due to any exposure that may have existed.

Due to our security policy, we are not able to disclose any specifics on our production infrastructure.  Your confidence is of the highest importance to us and we have taken pains to ensure that customer and survey data remain secure.

You can confirm this via an independent Heartbleed vulnerability test site, such as http://filippo.io/Heartbleed/#surveymonkey.com:443

If you have any additional questions about the SSL encrpytion used on our site, you can learn more about it in the following FAQ:http://help.surveymonkey.com/articles/en_US/kb/What-is-the-enhanced-security-option-SSL-encryption

You can also review our security policy here:https://www.surveymonkey.com/mp/policy/security/

All the best,

Ian
Product Support Specialist


From: (me)
To: support@surveymonkey.com
Date: 4/12/2014 12:37 AM
Subject: Re: OpenSSL Heartbleed vuln [ ref:_00D301HuKJ._50030Tmot8:ref ]

Really, Ian? Really? I understand that you can’t tell me any more than the marketing suits will allow you to tell me. But I think I can read between the lines of “SurveyMonkey is no longer at risk to the Heartbleed flaw.” Yeah, “…no longer…”

In other words, at some point SurveyMonkey was running the vulnerable version of OpenSSL on public facing servers.

I know you’re just doing your job, but would you please pass this up the line: that this customer, who is a 30-year veteran system administrator, thinks it’s absolutely slimy that SurveyMonkey won’t disclose such a major vulnerability to its users. At Georgia Tech, where I’m on a team that admins about 1000 Linux servers, if our department tried to hide something like this from the departments that are our customers, there would be hell to pay. And rightly so.

I’ll post your non-reply, along with this message, on Facebook, so that at least my friends know what kind of company SurveyMonkey is.

I’m sorry, Ian, that you personally are forced to be caught in the middle of this farce.

Kind regards to you, Ian


From: support@surveymonkey.com
To: (me)
Date: 4/12/2014  12:57 AM
Subject: Re: OpenSSL Heartbleed vuln [ ref:_00D301HuKJ._50030Tmot8:ref ]

Hi ,

I can certainly understand that you’re concerned and I will definitely send this over to my technical team for further review. However, since it is late on a Friday, you can most likely expect a response on Monday.

Thanks for your patience on this matter. Have a good rest of your weekend.

Warm regards,

Ian
Product Support Specialist