My Heart Bleeds for SurveyMonkey… Not

SurveyMonkey*, a popular free site for creating online surveys, is playing fast and loose with the truth about their exposure to the Heartbleed vulnerability.

As far as I can put the pieces together, they were indeed running the broken version of OpenSSL before this week’s public disclosure of Heartbleed, and they quickly patched their computers with the fixed version. They also sent e-mail to their user base, advising everyone to change passwords, which, while not an admission, is certainly a strong hint that users’ passwords may have been exposed.

What they won’t admit is that, for who-knows-how-long, their data was also at risk of exposure. By “their” data, I mean your and my and all their other users’ surveys and survey results. Probably not a big deal to many users, but certainly something you would expect a service provider to be honest about.

I tried to get a straight answer from them, but they refused to give one. Posted below is the e-mail conversation I had with them yesterday. While I don’t have a final answer from them yet, it appears unlikely I will get one. The support person, Ian, offers at the end to take my question to the technical team on Monday. But no technical person will be able (permitted) to answer my question any more clearly than Ian.  The decision to fudge their answer came from Marketing/Communications, and the decision to stop fudging will have to come from there too.

I can’t tell you what you should do, dear reader, but you deserve at least to have accurate information when you’re deciding whether to trust a web site with your data.

_______________

* SurveyMonkey link: https://www.surveymonkey.com/



Date: Fri, 11 Apr 2014 17:33:00 -0700
To: (me and all the other SurveyMonkey users)
From: “SurveyMonkey” <surveymonkey@go.surveymonkey.com>
Subject: SurveyMonkey Heartbleed Security Update

Dear SurveyMonkey Customer,

On April 7, 2014, researchers disclosed a vulnerability in a technology called OpenSSL that powers encryption across much of the internet. The vulnerability is commonly known as the “OpenSSL Heartbleed Flaw.”

Our team took immediate action to secure SurveyMonkey’s infrastructure against this flaw. We closed any exposure that might have existed and wanted to let you know that SurveyMonkey is not vulnerable to the Heartbleed flaw.

Although we have no reason to believe that any part of our service has been improperly accessed due to this vulnerability, as a matter of best practice we would like to recommend that all our customers reset their passwords. To reset your password, visit My Account and change your password in the Login Details section of your Account Page.

Thank you for being a great customer. Happy surveying!
The SurveyMonkey Team


 

From: (me)
Sent: 4/11/2014 8:30 PM
To: support@surveymonkey.com
Subject: OpenSSL Heartbleed vuln

Your e-mail to users doesn’t actually say whether you were vulnerable to the Heartbleed exploit in the past — it only says you took immediate action and are not vulnerable now. Were you at any time running a vulnerable version of OpenSSL (1.0.1 through 1.0.1f) on any of your public-facing servers? Please give me a straight answer — I admin servers for a living, and I don’t suffer FUD gladly. Thanks,


 

From: support@surveymonkey.com
Date: 4/12/2014 12:06 AM
To: (me)
Subject: Re: OpenSSL Heartbleed vuln [ ref:_00D301HuKJ._50030Tmot8:ref ]

Hi ,

We promptly did a thorough assessment of our site to resolve any exposure that might have existed and are happy to let you know that SurveyMonkey is no longer at risk to the Heartbleed flaw. We have no reason to believe that any part of our service was improperly accessed due to any exposure that may have existed.

Due to our security policy, we are not able to disclose any specifics on our production infrastructure.  Your confidence is of the highest importance to us and we have taken pains to ensure that customer and survey data remain secure.

You can confirm this via an independent Heartbleed vulnerability test site, such as http://filippo.io/Heartbleed/#surveymonkey.com:443

If you have any additional questions about the SSL encrpytion used on our site, you can learn more about it in the following FAQ:http://help.surveymonkey.com/articles/en_US/kb/What-is-the-enhanced-security-option-SSL-encryption

You can also review our security policy here:https://www.surveymonkey.com/mp/policy/security/

All the best,

Ian
Product Support Specialist


From: (me)
To: support@surveymonkey.com
Date: 4/12/2014 12:37 AM
Subject: Re: OpenSSL Heartbleed vuln [ ref:_00D301HuKJ._50030Tmot8:ref ]

Really, Ian? Really? I understand that you can’t tell me any more than the marketing suits will allow you to tell me. But I think I can read between the lines of “SurveyMonkey is no longer at risk to the Heartbleed flaw.” Yeah, “…no longer…”

In other words, at some point SurveyMonkey was running the vulnerable version of OpenSSL on public facing servers.

I know you’re just doing your job, but would you please pass this up the line: that this customer, who is a 30-year veteran system administrator, thinks it’s absolutely slimy that SurveyMonkey won’t disclose such a major vulnerability to its users. At Georgia Tech, where I’m on a team that admins about 1000 Linux servers, if our department tried to hide something like this from the departments that are our customers, there would be hell to pay. And rightly so.

I’ll post your non-reply, along with this message, on Facebook, so that at least my friends know what kind of company SurveyMonkey is.

I’m sorry, Ian, that you personally are forced to be caught in the middle of this farce.

Kind regards to you, Ian


From: support@surveymonkey.com
To: (me)
Date: 4/12/2014  12:57 AM
Subject: Re: OpenSSL Heartbleed vuln [ ref:_00D301HuKJ._50030Tmot8:ref ]

Hi ,

I can certainly understand that you’re concerned and I will definitely send this over to my technical team for further review. However, since it is late on a Friday, you can most likely expect a response on Monday.

Thanks for your patience on this matter. Have a good rest of your weekend.

Warm regards,

Ian
Product Support Specialist

Advertisements

3 thoughts on “My Heart Bleeds for SurveyMonkey… Not

  1. Adam Howard April 14, 2014 / 10:24 am

    Yuck. It sounds like they’re shitting their pants over there because user data was in fact exposed and they know that people are going to be freaked out that every survey answer they’ve ever typed into SurveyMonkey might be floating around the internet somewhere. It’s cowardly (and ultimately unproductive) for them to try to gloss over it with such weaselly language, though.

  2. Johnny April 23, 2014 / 4:12 pm

    Has anyone checked the start date on the server certificate? Was it newly issued _after_ the vulnerability was patched? If not, that could be a problem… 😦

  3. Johnny April 23, 2014 / 4:38 pm

    Have you considered that it might just be a very badly written press release and poor customer relations? If they were not actually vulnerable (as information cached by Google says “SurveyMonkey uses a version of OpenSSL that is unaffected by the Heartbleed vulnerability”) but they advised users to change passwords anyway, knowing people may have used the same password for other sites that could have been vulnerable.

What do you think? Please leave a reply.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s