OpenSSL HeartBleed Vulnerability Update

Last Updated -

On April 7, the OpenSSL Project released an update to address a vulnerability nicknamed “Heartbleed”.  The vulnerability affects a substantial number of applications and services running on the Internet, including Desk.com.

 

Custom Domain SSL

We have worked with our infrastructure provider to update OpenSSL on all our SSL endpoints. However, since this vulnerability made it possible for an attacker to compromise a private key for an extended period of time, for those customers that have their SSL certificates hosted with us, we strongly suggest that customers create a new SSL private key and SSL certificate and upload it to our system.

 

Your Desk Password

We encourage all Desk users to reset their Desk account passwords. We do not have any evidence that passwords have been compromised, but any time a large scale vulnerability is discovered, the safest thing to do for your account is to rotate your Desk credentials.

In addition, any sessions that were open at 11:00 PM PST on April 9, 2014 were closed and required re-authentication. This included Desk Agent sessions and Support Center sessions using the Private Portal. The process will occurred between 11:00 PM PT and 12:00 AM PT.
 
 ​

Desk Certificates

Since this attack could have potentially exposed our own certificates, as a precaution, we've revoked our old certificates and obtained new ones for Desk properties.

 

Resetting your OAuth Token

If you have created API scripts or have an integration connecting to your Desk.com environment you will need to: — Revoke your current Oauth token and — Generate a new one Now, when your scripts or applications try to contact your Desk.com environment, they are prompted to Log In/Grant Access to Desk.com once more to generate a new Oauth token. More information regarding Reseting your Oauth Token, can be found here.