So the big news last week was the “Heartbleed” bug disclosed by Codenomicon and Google engineers. I won’t repeat details of the vulnerability here, you can see the original post and references at heartbleed.com.
Here are a few high level details of the way that JUST EAT handled the situation.
Due to time differences, JUST EAT staff in Canada were first to receive notification about Heartbleed in the early hours of Tuesday 8th April (UK time), and investigations into what needed to happen were well underway by the time the main security and engineering teams came online in London.
Because JUST EATs main platform is not served from Linux servers the first reaction may be that we were not affected, but we do have Linux based services as part of our communications path, so it was important we took all necessary steps to be absolutely sure our customers and partners data was protected.
Followers of JUST EAT will know we utilise partners such as Google and Amazon for many internal and public facing services. Most of the JUST EAT services affected were offloading SSL/TLS to those services and we were in touch with their technical teams throughout the day to track the progress of their remediation. Obviously, being one of the reporters of the vulnerability Google were already well underway, and Amazon were not far behind. We could see the speed at which Amazon were rolling out the patch to their Elastic Load Balancers, which front the JUST EAT public facing sites, using a script to repeatedly test our sites. As soon as we received confirmation that each service had been remediated we proceeded with replacing our certificates/keys.
As of Thursday 10th April all core JUST EAT services have been fully remediated and we recommend that customers and partners change their passwords.