‘Heartbleed Bug’ Online Security Flaw Exposed

April 10, 2014

heartbleed bug logoInternational security researchers this week revealed the “Heartbleed” bug, a vulnerability that is said to affect one of the most commonly used encryption software programs in the world.

Many major websites including Google, Facebook, Yahoo and Amazon have said they’ve taken steps to secure their sites.

David Chartier, CEO of Finnish firm Codenomicon that helped to uncover the bug, told The Associated Press that OpenSSL is used on approximately two-thirds of web servers.

In explaining the bug, Codenomicon said: “The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

“This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks [VPNs].

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.

“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”

A blog post by Tumblr staff said, “We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.

“But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

“This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug.”

Internet powerhouse Google said, “We’ve assessed this vulnerability and applied patches to key Google services such as Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine. Google Chrome and Chrome OS are not affected.

“We are still working to patch some other Google services. We regularly and proactively look for vulnerabilities like this — and encourage others to report them — so that that we can fix software flaws before they are exploited.”

Tech blog Mashable has published a “Heartbleed Hit List, Passwords You Need to Change Right Now.”

Read More About

Category: All, Business, technology

Comments (4)

Trackback URL | Comments RSS Feed

  1. Wheels on the Bus says:

    International law should require that hackers be given the most grievous sentence known to man, a form of torture so profound – or simply the death penalty – so that no person would want to risk the benefits or ill pleasures of hacking. Hackers destroy lives, are terrorists, infect computers, cost us time, money, frustration, compromise our security, and much more. They are our invisible oppressors.

    • Loquatz says:

      This isn’t really a hack. It’s a bug in the software and there’s a scramble to deploy the patch all over the internet.

  2. No No No says:

    actually when caught, the case usually gets brushed under the carpet, and they later emerge as a silent employee for mega-software companies to test security vulnerabilities

  3. Death by ballywambah1