There has been a discovery by researchers that has brought to light a serious vulnerability in open-source software called OpenSSL that's widely used to encrypt web communications. Known as “Heartbleed,” the bug can give hackers access to personal data like credit card numbers, usernames, passwords, and, perhaps most importantly, cryptographic keys—which can allow hackers to impersonate or monitor a server. Yahoo Mail was one of the big name sites that admitted that they were vulnerable to attack. Yahoo has since patched all of their mail servers along with other main Yahoo sites such as Yahoo Search, Finance, Sports, Flickr and Tumblr. LastPass also uses OpenSSL and was vulnerable (until this morning), but due to extra encryption that happens on your machine, LastPass informed users that all their data is still safe. Other sites impacted include
Some experts have already called Heartbleed the worst bug yet, something that should worry everyone who frequents the Internet or does business on it. Even the U.S. government's Department of Homeland Security advised businesses on Tuesday to review their servers to see if they were using vulnerable versions of OpenSSL. It appears that the bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.
What versions of the OpenSSL are affected?
- OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
- OpenSSL 1.0.1g is NOT vulnerable
- OpenSSL 1.0.0 branch is NOT vulnerable
- OpenSSL 0.9.8 branch is NOT vulnerable
The vulnerability in encryption software OpenSSL was discovered by Google researcher Neel Mehta and the security firm Codenomicon. They gave the bug—officially known as CVE-2014-0160—the appropriately evocative and frightening name Heartbleed. It appears that there are updates already available to address the vulnerability in OpenSSL.
It is estimated that over 66% of the web uses OpenSSL, so you might want to hold off on doing any online banking until companies have had time to update their servers. You can test certain sites using this tool, though it won't answer whether a site was previously vulnerable at any point in the past. You can find a list of possibly affected sites here, but keep in mind they may have been vulnerable sometime in the past two years.