What you need to know about the serious ‘bug’ affecting (not so) ‘secure’ servers:
A “serious vulnerability” has been found in the software that often encrypts your user name, password and banking information when you log into “secure” websites, as indicated by the little lock icon in your browser.
The “Heartbleed bug” has the potential to expose huge amounts of private data, including user names, passwords, credit card numbers and emails, since it was found in a popular version of OpenSSL software code. The code is used by over two-thirds of active websites on the internet to provide secure and private communications, reported a website set up by security researchers to provide information about the bug.
The software code is also used by many email and chat servers and virtual private networks.
The bug allows “anyone on the internet” to read the memory of systems protected by the bug-afflicted code, compromising the secret keys used to encrypt the data, the researchers reported.
“This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Tests by the security researchers who discovered the bug showed that eavesdropping via the bug is undetectable.
“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication,” they wrote.
The bug was discovered independently by security engineers at the Finnish internet security testing firm Codenomicon and Neel Mehta of Google Security. It is found in a version of the code that has been used by internet services for more than two years.
The researchers say they don’t know if any cybercriminals have discovered and exploited the bug.
Patched version available
A patched version of the software code was released Monday when the bug was disclosed, but it still needs to be incorporated into the actual operating systems and software that use it. Then it must be installed by the owners of the affected internet services. All that may take some time.
Meanwhile, as a user, what can you do to ensure the web services you’re using are safe? Italian security researcher Filippo Valsorda has created a tool that lets you check whether a website has the Heartbleed vulnerability.
Valsorda noted that the site sometimes generates a false negative, probably because it is overloaded, but testing a vulnerable site over and over will eventually give a positive result. “The red result takes precedence over all the others and is certain,” he wrote.
Yahoo patching its services
As of Tuesday morning, the tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com is vulnerable.
“Please take immediate action,” the site says, directing users to the Heartbleed FAQ.
By 3 p.m. ET, Yahoo said it had successfully patched the bug on its homepage, search, mail, finance, sports, food, tech, Flickr photo and Tumblr blogging services.
“We are working to implement the fix across the rest of our sites right now,” a Yahoo spokesperson wrote in an email.
The official name of the Heartbleed bug is CVE-2014-0160, and it affects OpenSSL versions 1.0.1 to 1.0.1f, but not earlier or later versions. It was nicknamed “Heartbleed” because it was found in a part of the code called the “heartbeat extension.”