The Heartbleed bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL software

Heartbleed: Bug in web encryption tech a major risk

Faulty encryption technology has made data on many of the world's major websites vulnerable to theft by hackers.

Experts say the so-called "Heartbleed" vulnerability is one of the most serious security flaws uncovered in recent years as it affects widely used Web encryption technology used to transmit email, e-commerce transactions, social networking posts and other web traffic securely.

The discovery of the bug by researchers at Google and Finnish security firm Codenomicon, prompted the US government's Department of Homeland Security to advise businesses today to review their servers to see if they were using vulnerable versions of SSL/TLS encryption technology variant OpenSSL.

It said updates are already available to address the vulnerability in OpenSSL, which could enable remote attackers to access sensitive data including passwords and secret keys that can decode traffic as it travels across the Internet.

"We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace," Codenomicon said on a website it built to provide information about the threat,

It is not known whether anyone has used the bug to launch an attack, but the fact that attackers can exploit the vulnerability without leaving any trace is made more worrying because the bug has remained undiscovered for more than two years. Researchers are advising people to change all of their passwords.

"If a website is vulnerable I could see things like your password, banking information and healthcare data, which you were under the impression you were sending securely to your website," said Michael Coates, director of product security for Shape Security.

While the problem affects only the OpenSSL variant of SSL/TLS, that happens to be one of the most common on the internet. Researchers at Codenomicon say that OpenSSL is used by two of the most widely used web server software, Apache and nginx meaning many websites potentially have this security flaw.

OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks.

Despite the worries, Codenomicon said many large consumer sites did not have the problem because of their "conservative choice" of equipment and software. "Ironically smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the firm added.

Chris Eng, vice president of research with software security firm Veracode, said he estimates that hundreds of thousands of web and email servers around the globe need to be patched with a fix released earlier this week as soon as possible to protect them from attack by hackers who will rush to exploit the vulnerability now that it is publicly known.

The technology website Ars Technica reported that security researcher Mark Loman was able to extract data from Yahoo Mail servers by using a free tool.

A spokesperson for Yahoo confirmed that Yahoo Mail was vulnerable to attack, but said it had been patched along with other main Yahoo sites such as Yahoo Search, Finance, Sports, Flickr and Tumblr.

"We are working to implement the fix across the rest of our sites right now," she said yesterday evening.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them