Warning: Heartbleed Bug Exposing Passwords for Two Years Now
By Athena Yenko | April 9, 2014 2:06 PM EST
On Monday, Finnish security experts together with researchers from Google, revealed a discovery of a two-year-old bug, Heartbleed, which had been exposing users' passwords online.
On Tuesday, Yahoo, Tumblr, Paypal, Facebook, Google and Amazon Web Services released statements that they were already fixing the bug. However, they still encouraged users to immediately change their old passwords to new ones.
"This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit. This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage and banking, which may have been compromised by this bug," the security team at Tumblr wrote in its Web site.
Researchers continue to warn users to secure passwords use to access important accounts such as bank details and Social Security numbers.
To demonstrate how Heartbleed bug attacks, CNET obtained a censored example from Ronald Prins of security firm Fox-it.
After running Heartbleed, Prins tweeted:
"We were able to scrape a Yahoo username & password via the Heartbleed bug."
Developer Scott Galloway echoed the same in his tweet:
"Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail ... TRIVIAL!"
The magnitude of the effect of Heartbleed remains untracked as it affects OpenSSL which is used by the majority of Web sites online.
"It's a serious bug in that it doesn't leave any trace. Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there's no trace they've been there," David Chartier, chief executive at Codenomicon, explained.
Heartbleed victims will not be aware that they had been victims.
"Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won't know if you've been compromised. That's what makes it so vicious," Mr Chartier said.
"Companies need to get new encryption keys and users need to get new passwords," he advised.
To contact the editor, e-mail:
Most Popular Slideshows
- In Photos, Typhoon Rammasun Blasts the Philippines
- Typhoon Rammasun Claims 18 Lives in China, Incurs $4.32B Losses (PHOTOS)
- Ellen DeGeneres Caught Cheating with Mutual Friend Before Portia de Rossi’s Rehab – Reports [PHOTOS]
- Malaysia Airlines MH17: Vital Black Boxes Finally Land in Hands of Malaysian Authorities, Rebels Announce Ceasefire (PHOTOS/VIDEOS)
Join the Conversation
- Malaysian Airlines Flight 17: Air Carrier Losing $1.6 Million/Day; Crisis Management Experts Suggest Hiring Risk Expert as CEO
- California Fruits Recalled in USA and Canada for Possible Listeria Contamination
- Malaysian Airlines Flight 17: Air Carrier to Give $5,000 Assistance to Victims’ Families; Bankruptcy Looms as 2 Air Mishaps Would Cost Firm Minimum $80.55 M Compensation
- Foxconn And Pegatron Corp Readies For Apple's iPhone 6 Mass Production This Month
- KFC & McDonald’s Accused of Serving ‘Expired’ Meat to Customers
- Google Nexus 8 Release Date Soon Along with 2 More HTC Android Tablets – Reports
- Windows Phone 8.1 Update Rollout: 20 Nokia Lumia Phones Eligible and 13 New Features to be Added
- Moto 360 Price Speculations, Key Features, Strategic Release Date, Design: A Watch That is More Than Just Time
- Samsung Galaxy Note 4 Apps Leak Online, Five Fresh Features to Expect from the Android Smartphone
- Three New Moto G Successors Spotted in FCC Document Dubbed Moto G2, Moto M and More --Reports
- Apple Logo on iPhone 6 Might Double as Notification LED; Roughly 80M iPhone 6 Units Ordered Targeting Release Date—Reports
- Sony PlayStation 4 Outsells a Resurgent Xbox One in June