On Monday of this week, a group of security researchers discovered and publicly disclosed a vulnerability in OpenSSL, a software package that is widely used to secure online communications. They called the bug Heartbleed.
Evernote does not use, and has not used, OpenSSL, so we were not vulnerable to this bug. As an Evernote user, you don’t need to take any action.
Some of the services that we use, for example, our support ticketing system, do use OpenSSL. These services have all fixed the bug. We do not believe that any sensitive data was accessed. We are actively monitoring the situation and will notify you if we discover anything.
Update, May 29, 2014: When the Heartbleed vulnerability was publicly announced, we confirmed that the Evernote service was not and had never been vulnerable. Evernote’s security team then began reviewing each of our client software applications to determine whether they were impacted. We learned that the Android 4.1.1 operating system itself uses a vulnerable version of OpenSSL, which means that many of the applications, including Evernote, that run on that operating system are vulnerable to an attacker accessing random pieces of information when that device connects to a network.
For Android 4.1.1 Users
Google is working with mobile service providers to push an Android operating system update, but Evernote has no control over this process. If you are running Android 4.1.1 on your device, we recommend you take the following steps to protect yourself:
- Avoid using public wifi networks with your Android 4.1.1 device
- Contact your mobile service provider and ask them for an update that fixes the Heartbleed vulnerability
- Consider switching to a device that runs a newer version of Android and deactivate your Android 4.1.1 device inside your Evernote account
We have also sent this information in an email to affected users.
Skitch for Windows
We have also found and fixed a vulnerability in our Skitch for Windows application. We released version 2.3.1 on May 7th to address this vulnerability. If you use Skitch for Windows, be sure to update to the latest version.