Critical Bug 'Heartbleed' Violates Internet Security - Passwords, Credit Cards Under Attack; Exposed Web Sites Listed
By Pavithra Rathinavel | April 9, 2014 7:37 PM EST
A new vulnerability known as "Heartbleed Bug" has surfaced in the OpenSSL library. This allows attackers to gain access to sensitive data, credit cards, usernames, passwords, private communications, among others.
A man talks on the phone as he surfs the internet on his laptop at a local coffee shop in downtown Shanghai November 28, 2013. China's campaign against online rumours, which critics say is crushing free speech, has been highly successful in "cleaning" the Internet, a top official of the country's internet regulator said on Thursday.
What is OpenSSL?
It is an open-source software package used to encrypt Web communications. Notably, SSL/TLS encryption is used to protect web applications, e-mail communications, instant messaging and virtual private networks (VPNs).
According to reports, popular websites extending SSL encryption, like NASA , Airbnb, Pinterest, USMagazine.com, Creative Commons, among others, were exposed to this security bug on April 7. This attack is accomplished by compromising the "secret keys" used to encrypt web traffic, in turn letting attackers to intercept sensitive data and impersonate as others.
Codenomicon, a software security firm, along with Google's security team, detected this vulnerability. The number of other web sites which are exposed to this vulnerability might increase. GitHub has a list of such web sites.
All the while, security experts have recommended the users to visit only those sites and services that offer SSL security encryption. But the new Heartbleed bug can shoot down this security layer and compromise user information.
Heartbleed has already come up with a security patch but many web sites can get the updates for their web site and hence they are still vulnerable to attacks. This is what Heatbeat has to say about the vulnerability,
"The bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. As long as the vulnerable version of OpenSSL is in use it can be abused."
What Should Users Do?
Mashable suggested the users who frequent the listed (vulnerable) sites should wait for an official confirmation from the web site before making the next visit. Upon getting a confirmation back from the sites on the security update installation, users must change the passwords.
Yahoo reportedly has fixed the vulnerability on its main web sites. Here is a Twitter confirmation from Yahoo:
Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now.
— Yahoo Inc. (@YahooInc) April 8, 2014
To be on the safer side, users should be vigilant of their online accounts (insurance, banking, email, etc.) to ascertain if there is any suspicious behavior of their accounts at least for the next week.
Many web sites have confirmed that the update suggested by Heartbleed is incorporated in their sites, those include WordPress, Amazon Services, Akamai, among others.
GitHub also has a list of websites that are not vulnerable to this attack such as Google, Tumblr, FourSquare, Evernote and others.
How to Check if a Site is Vulnerable to This Attack?
There is a service called Heartbleed Checker that allows users to enter the URL of web sites to check its vulnerability to Heartbleed Bug.
To contact the editor, e-mail:
Most Popular Slideshows
- Taylor Swift Named Forbes' Second Highest Paid Country Musician [PHOTOS]
- Forever Lost: Indescribable Anguish for Malaysia Airlines MH17 Families, Remains of Some Victims May Never Be Found (PHOTOS)
- Global Aviation Accidents: UN to Form Safety Task Force, Gov'ts Should Share Intelligence Info to Avert Future Incidents on Flying Over Warzones (PHOTOS)
- Lunch with the Gods: Pope Francis Eats with Vatican Workers in Cafeteria
Join the Conversation
- Samsung Galaxy S5 Alpha Leaks Online: Release Date, Five Features to Wait for New Smart Phone
- Photos of Motorola Moto X+1 Prototype and Specs Leak Online, Release Date, Four Fresh Features Revealed
- Sony Xperia Z3: Release Date, Five Features to Expect from New Android Smart Phone
- Nexus 6 Likely Confirmed as Motorola 5.9-Inch Phablet on Release Date – Report
- Apple on 5.5-inch iPhone 6 Release Will Not Happen Until 2015 with Stocks Poised to Soar
- Andy Roddick and Mardy Fish Can't Play in the U.S. Open Due to Drug Testing Issues
- Billy Bob Thornton Want to Play Hodor in Game Of Thrones
- Fukushima Radiation Tests on Waters Along U.S. Coast Yield Negative Results
- Zac Efron Equates Boozing to a Social Stimulant, Admits Why He Checked into Rehab Last Year
- Celebrities Who Stripped Naked for Women's Health