The Internet community learned on April 7 about the OpenSSL vulnerability CVE-2014-0160, known colloquially as Heartbleed. Many security professionals remember similar vulnerabilities in SSH, BIND, and Sendmail that pried open large chunks of the Internet Infrastructure. Heartbleed is a similar type of vulnerability, as detailed on the Heartbleed website.
We join financial institutions across the Internet in responding to this critical vulnerability and in response conducted a full security review. After this security review we confirmed that no client-facing Wealthfront systems were vulnerable to Heartbleed, as no systems are running vulnerable versions of OpenSSL.
Further Resources for Heartbleed Help
Everyone deploying production services on the Internet is working to mitigate the effects of this vulnerability. We recommend auditing all OpenSSL systems and upgrading all systems using OpenSSL library versions 1.0.1 through 1.0.1f. Here is a quick roundup of resources we found useful in our response to this disclosure:
- Codenomicon’s original disclosure with FAQ
- NIST’s National Vulnerability Database entry
- Lifehacker’s Heartbleed breakdown
- Mustafa Al-Bassam’s test of Top 1000 sites.
As always, if you have any questions about the security of your Wealthfront account, contact us at firstname.lastname@example.org. We will continue to monitor this issue as the community and vendors investigate this vulnerability further.