A new vulnerability known as "Heartbleed Bug" has surfaced in the OpenSSL library. This allows attackers to gain access to sensitive data, credit cards, usernames, passwords, private communications, among others.
What is OpenSSL?
It is an open-source software package used to encrypt Web communications. Notably, SSL/TLS encryption is used to protect web applications, e-mail communications, instant messaging and virtual private networks (VPNs).
According to reports, popular websites extending SSL encryption, like NASA , Airbnb, Pinterest, USMagazine.com, Creative Commons, among others, were exposed to this security bug on April 7. This attack is accomplished by compromising the "secret keys" used to encrypt web traffic, in turn letting attackers to intercept sensitive data and impersonate as others.
Codenomicon, a software security firm, along with Google's security team, detected this vulnerability. The number of other web sites which are exposed to this vulnerability might increase. GitHub has a list of such web sites.
All the while, security experts have recommended the users to visit only those sites and services that offer SSL security encryption. But the new Heartbleed bug can shoot down this security layer and compromise user information.
Heartbleed has already come up with a security patch but many web sites can get the updates for their web site and hence they are still vulnerable to attacks. This is what Heatbeat has to say about the vulnerability,
"The bug compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. As long as the vulnerable version of OpenSSL is in use it can be abused."
What Should Users Do?
Mashable suggested the users who frequent the listed (vulnerable) sites should wait for an official confirmation from the web site before making the next visit. Upon getting a confirmation back from the sites on the security update installation, users must change the passwords.
Yahoo reportedly has fixed the vulnerability on its main web sites. Here is a Twitter confirmation from Yahoo:
Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now.
— Yahoo Inc. (@YahooInc) April 8, 2014
To be on the safer side, users should be vigilant of their online accounts (insurance, banking, email, etc.) to ascertain if there is any suspicious behavior of their accounts at least for the next week.
Many web sites have confirmed that the update suggested by Heartbleed is incorporated in their sites, those include WordPress, Amazon Services, Akamai, among others.
GitHub also has a list of websites that are not vulnerable to this attack such as Google, Tumblr, FourSquare, Evernote and others.
How to Check if a Site is Vulnerable to This Attack?
There is a service called Heartbleed Checker that allows users to enter the URL of web sites to check its vulnerability to Heartbleed Bug.