OpenSSL, a technology used to provide added encryption of an estimated 66% of all servers on the public Internet, has seen a significant glitch, which puts nearly all the web protection at risk. Never used online banking service? This is surely not the right moment to set about it.
Tumblr, which is owned by Yahoo, made public on Tuesday that it had been hit by the so-called “Heartbleed Bug” and recommended that clients change not just the password for its site but for all others as well. Among those unaffected happened to be Apple, Google, Microsoft, and major e-banking services.
“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max‘ moment. It’s a bit of anarchy right now. Because we don’t know right now who has the keys and certificates on the Internet right now.”
Though the word OpenSSL seems to be the jargon that the general public is unaware of, everyone would perhaps recognize the green padlock icon in the address bar of their browser, followed by “https” – this is exactly the thing that ensures additional security in whatever sensitive operations that we perform online.
The technical vulnerability was first spotted by Neel Mehta, a security researcher at Google, and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.
“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” comments Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm. What happened to be just a programming mistake travelled fast to all other computers as the OpenSSL was updated on them, open up plenty of opportunities for those tech-savvy to hack for any personal data using just simple tools available online.
To tackle the problem, an updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to refresh many pieces of their security protocols notably keys and certificates.
Whatever the updates and technical solutions, users are still strongly advised to stand on guard of their own web security and think twice before carrying out any operation online, just to allow time to make sure the service is unaffected.
Do not login to Yahoo! The OpenSSL bug #heartbleed allows extraction of usernames and plain passwords!
Change Your Passwords: A Massive Bug Has Put Your Details at Risk
A massive bug affecting much of the web’s encryption technology is uncovered, with sites from Yahoo to Tumblr affected
A newly discovered bug in software supposed to provide extra protection for thousands of the world’s most popular websites has exposed highly sensitive information such as credit card numbers, usernames, and passwords, security researchers said.
The discovery of the bug, known as Heartbleed, has caused several websites to advise their users to change their passwords.
“This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr wrote in a note to its many users.
“The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.”
Yahoo, the owner of Tumblr, confirms that its users’ passwords have been compromised.
The bug was discovered late last week in the OpenSSL technology that runs encryption for two-thirds of the Internet. The researchers who discovered it said that most Internet users “are likely to be affected either directly or indirectly.”
It was found simultaneously by a Google security researcher and a small security firm named Codenomicon and disclosed Monday night.
Experts are now scrambling to asses the extent of the security breach, because the bug remained undiscovered for two years. Hackers may have exploited it without leaving footprints.
“We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace,” Codenomicon wrote on their newly created website about the bug.
According to several security experts, it is one of the most serious security flaws uncovered in many years.
“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm, told the Los Angeles Times.