April 9, 2014

Google Services Updated to Address OpenSSL CVE-2014-0160 (the Heartbleed bug)

You may have heard of “Heartbleed,” a flaw in OpenSSL that could allow the theft of data normally protected by SSL/TLS encryption. We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Drive, Apps, App Engine, AdWords, DoubleClick, Maps, Maps Engine, Earth, Analytics and Tag Manager.  Google Chrome and Chrome OS are not affected. We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this -- and encourage others to report them -- so that that we can fix software flaws before they are exploited. 

If you are a Google Cloud Platform or Google Search Appliance customer, or don’t use the latest version of Android, here is what you need to know:

Cloud SQL
We are currently patching Cloud SQL, with the patch rolling out to all instances today and tomorrow. In the meantime, users should use the IP whitelisting function to ensure that only known hosts can access their instances. Please find instructions here.

Google Compute Engine
Customers need to manually update OpenSSL on each running instance or should replace any existing images with versions including an updated OpenSSL. Once updated, each instance should be rebooted to ensure all running processes are using the updated SSL library. Please find instructions here.

Google Search Appliance (GSA)
Engineers have patched GSA and issued notices to customers. More information is available in the Google Enterprise Support Portal.

All versions of Android are immune to CVE-2014-0160 (with the limited exception of Android 4.1.1; patching information for Android 4.1.1 is being distributed to Android partners).

We will continue working closely with the security research and open source communities, as doing so is one of the best ways we know to keep our users safe.

Apr 12: Updated to add Google AdWords, DoubleClick, Maps, Maps Engine and Earth to the list of Google services that were patched early, but inadvertently left out at the time of original posting.

Apr 14: In light of new research on extracting keys using the Heartbleed bug, we are recommending that Google Compute Engine (GCE) customers create new keys for any affected SSL services. Google Search Appliance (GSA) customers should also consider creating new keys after patching their GSA. Engineers are working on a patch for the GSA, and the Google Enterprise Support Portal will be updated with the patch as soon as it is available.

Also updated to add Google Analytics and Tag Manager to the list of Google services that were patched early, but inadvertently left out at the time of original posting.

Apr 16: Updated to include information about GSA patch.

Apr 28: Updated to add Google Drive, which was patched early but inadvertently left out at the time of original posting.


  1. What about the older mini Google Search Appliances (GSA)? Is there a patch being worked on for these as well?

  2. So to put this in a way that the average person would understand and be concerned about, would it be recommended that any Google/Gmail users change their current passwords?

  3. News articles on Heartbleed are suggesting users change their passwords at sites that have patched this vulnerability. Is Google recommending Google Apps and other users change their account passwords?

  4. Can you tell us when Gmail, Wallet, search and other key services were patched?

  5. How do we know your SSL certificates aren't compromised? Did you replace them after patching? The certificate for mail.google.com says it was issued on April 2, and Heartbleed wasn't announced to the public until the 8th.

  6. In addition to patching OpenSSL, can you confirm if you've acquired new certificates, generated and deployed new SSL keys, and revoked old keys and certs?

  7. Do I have to change my password?

  8. Are SMTP and POP now safe? I use them to read my gmail but I've been holding off.

    Also, can you tell me if gmail was updated by around Tuesday at 8pm UTC time (around 1pm Pacific)? That's when I changed my password, and I'm wondering if I need to do it yet again.

    Thank you!

    I posted this on the uk site also before finding this one. Sorry for double-posting.

  9. A recent ABC News article quotes an email from Google saying that users do not need to change their passwords.

    Is that Google's official word on the matter? I've had a hard time finding an official statement on your site.

  10. Heartbleed was publically announced recently. If Google's SSl implementation was vulnerable at ANY point, passwords could have been caputred. There is no indication that this vulnerability was not privately known prior to the public announcement. Would it not be prudent to change your passwords, regardless?

    Cyber Security Professional

  11. Changing your passwords before a service is patched (fixed) is kinda pointless. You would be better off waiting until the services you use are fixed. I'm giving it a week or so before I go change my passwords. Meanwhile I will not be logging on to any services that have payment details linked to them. It is quite possible that the hacking community (yeah, they like to call themselves a community) did not learn of this vulnerability. If they had they would have exploited it heavily and it would probably have been detected much sooner. Much in the same way that if thieves kept stealing your stuff all the time you would probably soon realise that you had left the back door open. Now that the cat is out of the bag however, thieves and hackers (same thing?) have a short window of opportunity to exploit this vulnerability before the door is slammed shut.

  12. So after you patch all your systems only then you should inform the users to change their passwords. Until then a user changing his account passwords is basically a waste of time!

  13. @Blair Mansell - the Mini is not affected by this, as it has an older version of OpenSSL. The exploit only affects OpenSSL 1.0.1a through 1.0.1f.

  14. Even if Google say that it is safe and totally trust them, do you want to take that risk anyway?

    According to the public website providing lot of information (http://heartbleed.com/) there's no way to detect such attacks, and knowing the bug has been there for the last two years, well you should totally change your passwords whatever Google, Facebook or Microsoft tell you, but not point to change them if the service/website is not patched yet.

  15. I have to agree with the post from 'Cyber Security Professional'.
    Just change your passwords. It is the only way you will be able to stop worrying about it. It sure is a hassle to change all my passwords, but still way less of a hassle than trying to recover from identity theft.

  16. Google stock Android 4.3 seems to be affected, too...
    Heartbleed Detector App detects OpenSSL version 1.0.1e and warns to be affected by the bug!
    Running on Galaxy Nexus / Baseband version I9250XXLJ1 / Kernel version 3.0.72-gfb3c9ac / Build number JWR66Y

  17. I also saw the quote from Google on the ABC News article saying "They later added to their statement saying that, "The security of our users' information is a top priority. We fixed this bug early and Google users do not need to change their passwords." "

    Now come on. All of us just read about this bug. We know Google used OpenSSL, and apparently the versions that were vulnerable since they said they applied patches, and if we logged in during the vulnerable period then our password is at risk. If there was an exploit running (well we know there were exploits from the proofs of concept, just don't know if there were big ones), then our passwords could be in someone's hands. And less likely but maybe more scary, if someone is storing net traffic and was able to get the certificates as Codenomicon says they were able to do, then lots of our previous communication (and password) could be decrypted.

    Maybe Google wants to wait until they know everything needed is patched before asking users to change their passwords. If so, it would be nice to tell us that.

    Or, if Google really thinks the risk is so low that changing passwords is not required, then please tell us that as well and give us reasons.

  18. Check out http://www.gnupg.org or just go Google :)

  19. Google has security whitepapers in case you dont notice, they're the specialists when it comes to this I believe. Just read what the blog says.

    2 options: http://www.gnupg.org or just go Google since they are implementing countermeasures as well as everyone here obviously :)

  20. Can we have this clarified please? "patching information for Android 4.1.1 is being distributed to Android partners"

    I own a MachSpeed Trio stealth G2 tablet, and according to them as of today (4/14/2014) they are still waiting to even hear about a patch..

  21. "All versions of Android are immune" means ALL versions of android of all-of-versions-still-being-maintained-by-google (which is like, only 4+?)

    should 2.3 and such be safe?

  22. motorola razr maxx still runung on 4.1.2 who's fault is it?

  23. wow, i don't see any update for my samsung galaxy s3 yet :'(

  24. This post lists numerous services that were patched, but it also states "we are still working to patch some other Google services".

    Given the amount of time that has passed since the article was written, I would guess that all services have been patched now. That said, confirmation from Google that this is the case would be welcome.

    Thank you.

  25. Any chance Google can release a Heartbleed patch app directly to users? Many (most?) device vendors have completely abandoned their devices that are currently running Android 4.1.1 (I'm looking at you, Kobo...)

    Google should look at establishing an update service for Android devices that's independent of device vendors, as vendors typically don't take any responsibility for updating their devices once they've got the consumers' cash. Even if such a service only offered device-agnostic security fixes it would be very valuable.

  26. OpenVPN is also affected by Heartbleed bug

    see: http://arstechnica.com/security/2014/04/heartbleed-exploited-to-hack-network-with-multifactor-authentication/

  27. I am searching this related stuff from long time.Now I can solve my problem from here.Thanks for sharing this great post with us.
    Chemical Flow Meter

  28. Gmail Password reset is very competitive solution without any detail for any technician, but dont worry it not impossible our technician can reset gmail password without any account detail -

  29. Great post, but the time is administered for you priority, and this are changes every day, of course there are many distractions, for waste you time.
    The Bag Nag

  30. I would also like to know the status of the Google mini.

  31. @Dave Watts - can you point to any statement from Google that the Google Mini is not affected? My organization's security folks just flagged my mini - I need all the ammunition I can get to resist their urge to block it!

  32. I am impressed from the post of cyber security post. Today it is very important for all of us to have fully protect from cyber disadvantages. In present it is increasing so highly.

    Latest News Article

  33. @Michael Tilley - I don't know if there's a public statement by Google Enterprise about the Google Mini here. But only certain versions of the GSA software are vulnerable. They're the versions that include OpenSSL 1.0.1a through 1.0.1f.

    OpenSSL 1.0.1a was released on 19 April 2012, according to the OpenSSL changelog. The latest version of the Mini runs GSA 5 software, which significantly predates that. So, unless Google has time-travel technology, you're safe from this problem with the Mini.

    You can easily check the status of an individual server using free tools. I suggest you use one of those.

    I wrote an overview post about Heartbleed, with a little bit about the GSA and the testing tools I just mentioned. You can read it here:



You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.