A critical software flaw went unnoticed in one of the world’s widely used encryption library known as OpenSSL for more than two years. Known as Heartbleed, the bug was apparently inadvertently introduced in December 2011 and was only recently discovered by researchers from Google and security group Condenomicon.
The bug was named Heartbleed by Codenomicon because it occurs in OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension. When exploited, it leads to the leak of memory contents from the server to the client and from the client to the server.
The news of this bug came in just after we reported that Yahoo has been upgrading their ecosystem to integrate fully with HTTPS, which uses OpenSSL for its backbone infrastructure. Security vulnerability is common in the industry but this is so serious to the extent that Bruce Schneier, a security expert, has since called this incident “catastrophic” and gave a rating of 11 on a scale of 1 to 10, as published in a blog post.
The bug allows attackers to gain access to users’ passwords and fool people into using bogus versions of Web sites. Attackers can gain access to the contents of a server’s memory, where the most sensitive data is stored, including but not limited to usernames, passwords, and credit card numbers. About half a million websites are known to have been vulnerable at one point or other, including the likes of Web giants such as Google, Facebook and Yahoo.
Underscoring just how serious the bug is, a developer of security firm Fox-IT, Scott Galloway, ran a script that exploited the heartbleed flaw for 5 minutes and managed to recover a list of 200 usernames and passwords from Yahoo Mail. Although Yahoo has no direct advice to end users, they have issued a statement stating that they begin working on a fix as soon as they know the problem and are working to implement the fix across the rest of the sites. For now, Google and Facebook have that they have already applied patches and fixed the issues.
“Users of critical online services should wait for an official statement from their service providers and then follow their guidelines,” suggested Ari Takanen, the chief research officer at Codenomicon in an email to us. “Once service providers have updated OpenSSL and encryption keys, consumers may be directed to update their passwords.”