‘Heartbleed’ Bug: Major Websites Vulnerable to Hackers for 2 Years; How to Fix It
By Raymond Ronamai | April 10, 2014 12:25 AM EST
In what experts described as one of the most serious security flaws in recent years, a new finding by researchers found out the presence of a bug called "Heartbleed", in popular software used by millions of web servers, making the data on many major websites vulnerable to hackers.
A security personnel answers a call at the reception counter of the Google office in the southern Indian city of Hyderabad in this February 6, 2012, file photo.
“Heartbleed” bug was found in OpenSSL, a popular open source cryptographic library used by millions of web servers, according to a finding by researchers with Google Inc and security firm Codenomicon (via Mashable). The bug can reveal sensitive datas like credit card numbers, usernames and passwords as it can allow internet users to read memory of a server.
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs),” according to the website Heartbleed.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content,” it added.
Popular websites, including NASA, Airbnb, Pinterest, USMagazine.com, Creative Commons and several others which run on OpenSSL encryption, were exposed to the “Heartbleed” bug on Monday, according to Mashable.
Major websites like Google, Microsoft, Twitter and Facebook are safe but Yahoo is in the vulnerable group, according to a tool on Filippo Valsorda that helps find if a site is vulnerable to the Heartbleed bug.
Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now.
— Yahoo Inc. (@YahooInc) April 8, 2014
"If a website is vulnerable I could see things like your password, banking information and healthcare data, which you were under the impression you were sending securely to your website," Michael Coates, director of product security for Shape Security, was quoted as saying by Reuters.
How to Fix “Heartbleed” Bug
Chris Eng, vice president of Veracode, told Reuters that thousands of web and email servers should be patched at the earliest to avoid the attack of hackers, who may try to exploit the vulnerability as it has now gone public.
The sites need to update to safer version of OpenSSL, besides getting new security certificates and generating new encryption keys for full protection from the bug, says a report by BBC.
“If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle,” suggested Tor Project.
The “Heartbleed” bug, which was introduced to OpenSSL in 2011, has been there since the OpenSSL release 1.0.1 in 2012 but OpenSSL 1.0.1g released on 7 April 2014 can fix the bug, according to Heartbleed website.
Meanwhile, Jamieson Becker has suggested a few steps to fix the bug on his Twitter page.
To FIX Heartbleed: 1. Upgrade OpenSSL 2. Revoke ALL SSL certificates 3. Regen all SSL priv keys 4. Get new certs from SSL vendor — Jamieson Becker (@JamiesonBecker) April 8, 2014
To contact the editor, e-mail: