Jawbone Response for Heartbleed Bug
A major vulnerability to the OpenSSL library, known as Heartbleed, was made public on 4/7/14. Upon its announcement, we immediately patched the vulnerability in our infrastructure and rotated our certificates. While there has been no evidence of malicious behavior, we are taking precautionary measures to protect our API’s consumers and partners.
As such, we are requiring all members of the Developer Platform to make the following updates within 2 weeks, by 4/25/14. Please review this information and share with your technical team. You can contact us with any questions at firstname.lastname@example.org.
Required steps for members of the Jawbone Developer Community:
Obtain a new client secret
We are reissuing all app client secrets and invalidating the old ones. Until 4/25/14 both the old and new client secret will be valid. At the end of the window we will invalidate the old client secret and it will no longer be valid, which means you will not be able to authenticate any new users using the old secret.
You can obtain your new client secret by logging into the developer platform and accessing your app configuration.
1. Login to developer.jawbone.com
2. On left, choose “Manage Account”.
3. For your org, choose “Manage Apps”.
4. Select any application created before this update.
5. Under App Secret will have two secrets listed. The first will be your new fresh client secret. The second, grayed out version will be the original client secret, with the expiration time listed behind it.
Obtain new user access tokens
We will also invalidate all current user access tokens on 4/25/14. This means you must refresh all your active user tokens using your new client secret. You should have been issued a refresh token when the original access token was granted.
Details on refreshing your access token are documented here: https://jawbone.com/up/developer/authentication
We have also provided a new endpoint to retrieve your refresh token for specific users here: https://jawbone.com/up/developer/endpoints/refreshtoken.
We realize this puts extra load on developers. Our team has also spent significant time this week on auditing and securing our systems. We hope that all members of the Jawbone Developer Community are willing to take these extra steps to help protect against compromise and share our focus on data security.
Andrew, Mike, Steve and the platform engineering team
What is the Heartbleed bug?
As you may already know, the Heartbleed bug (http://heartbleed.com) is a security vulnerability in the OpenSSL cryptographic software library and can leave encrypted user data exposed. It allows anyone to read the unencrypted memory of the systems protected by OpenSSL software. This could compromise the secure secrets used to protect your users and allow attackers to eavesdrop on communications and steal their data. This bug affects nearly two thirds of all internet traffic.
Why am I getting this message?
You’re a member of the jawbone dev community and registered as an admin/developer for an application.
Who can I talk to with questions?
Members of our platform team stand by ready to assist and answer questions. Please start a support ticket by emailing email@example.com
What happens if I don’t follow these steps?
If you don’t use the new client secret you will be unable to authenticate new users. If you don’t refresh the user access tokens your application will be unable to read/write user data once the current tokens are invalidated.
My app is just using my own data, or just a small group’s. Isn’t there some sort of exception?
No exceptions. This vulnerability could allow anyone to act as your application, so size of your user base isn’t the determining factor in our response.