On April 7, 2014, researchers disclosed a vulnerability in a technology called OpenSSL that powers encryption across much of the internet. The vulnerability is commonly known as the “OpenSSL Heartbleed Flaw.”
Our team took immediate action to secure Wufoo’s infrastructure against this flaw. We closed any exposure that might have existed and now want to let you know that Wufoo is not vulnerable to the Heartbleed flaw.
Although we have no reason to believe that any part of our service has been improperly accessed due to this vulnerability, as a matter of best practice we would like to recommend that all our customers reset their passwords. To reset your password, here’s what you do: Go to the *User Management* section. Once you’re in the User Management section, click on the Change Password button. A dialog window will appear and allow you to enter new password information. After entering a password, press the Save button to save the changes.
Rest easy tonight knowing your forms are safe. Form on, friends!
Comments
I understand that wufoo may not be vulnerable to Heartbleed now, but was it ever? If so, will you issue a new certificate for *.wufoo.com to ensure security? It doesn’t do us much good to change passwords if someone has captured the private key for your certificate and you don’t replace that certificate.
Posted April 11th, 2014 by Kurt Ashley.Was wufoo using Open SSL at any time/????
Posted April 11th, 2014 by alan.Ditto what Kurt said. “Any exposure that might have existed” is super ambiguous. Does wufoo’s infrastructure use OpenSSL? If yes, please explain the specific vulnerabilities that did exist.
Posted April 11th, 2014 by Mark.Your guys seriously need to update your SSL certificates. Telling your users to change their password is almost moot point if someone was able to get your private keys and certificates. That means they could the new read account credentials as it passes through your questionably “secure” encryption login service.
https://lastpass.com/heartbleed/?h=wufoo.com
wufoo.com
Posted April 11th, 2014 by Earl.Server software: Not reported
Was vulnerable: Possibly (might use OpenSSL, but we can’t tell)
SSL Certificate: Possibly Unsafe (created 1 year ago at Apr 15 03:44:19 2013 GMT) Additional checks SSL certificate history checks yielded no new information
Assessment: It’s not clear if it was vulnerable so wait for the company to say something publicly, if you used the same password on any other sites, update it now.
This posting reveals vulnerability in a technology called Open SSL that powers encryption across most of the Internet. The vulnerability is generally known as the “Open SSL Heartbleed Flaw.” Although wufoo customers don’t have to worry about this vulnerability, they should still reset their passwords. Search for employment applications at Granted and secure a position at a great company.
Posted April 11th, 2014 by Nabeal T..