by Jeremy Carey and Dan Auerbach
Earlier this week a vulnerability nicknamed Shellshock was made public that exposed a critical flaw in the widely-used Bash shell, threatening endpoint security for a huge segment of servers and personal devices. By exploiting an error in how Bash parses functions defined inside environment variables, the security bug gives attackers who are able to pass environment variables to a Bash shell the ability to execute arbitrary code.
While Bash itself is not an Internet-facing service, many Internet-facing services such as web servers and servers running SSH call Bash internally and are thus vulnerable to Shellshock. Security researchers have yet to determine the full ramifications of this bug, but given how ubiquitous Bash is, this vulnerability is likely to have lasting and serious security consequences for the Internet at large.
Upon immediate investigation of the issue, we have not found any instances of our systems being exploited by this bug. In an effort to be proactive, we have completed an audit of all of our systems to ensure that vulnerable versions of Bash are not being used. We pride ourselves in responding quickly to any security issues such as Heartbleed (which happened earlier this year) and Shellshock, both because securing our user data is of utmost importance, and because being a good Internet citizen means abiding by security best practices so that we can build a safe ecosystem together. This is why we use HTTPS transport encryption for all of our traffic, and proactively work to secure the user data entrusted to us.
Shellshock also reminds us that some of the common tools that people rely on the most and that are built from free and open source software can themselves be a vector of vulnerability. As a community, we need to ensure that this software gets regular scrutiny from security researchers. We hope that others will use our platform to fund such security research efforts. This is a cause we can get behind and will gladly support.