In what experts described as one of the most serious security flaws in recent years, a new finding by researchers found out the presence of a bug called "Heartbleed", in popular software used by millions of web servers, making the data on many major websites vulnerable to hackers.
"Heartbleed" bug was found in OpenSSL, a popular open source cryptographic library used by millions of web servers, according to a finding by researchers with Google Inc and security firm Codenomicon (via Mashable). The bug can reveal sensitive datas like credit card numbers, usernames and passwords as it can allow internet users to read memory of a server.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," according to the website Heartbleed.
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content," it added.
Popular websites, including NASA, Airbnb, Pinterest, USMagazine.com, Creative Commons and several others which run on OpenSSL encryption, were exposed to the "Heartbleed" bug on Monday, according to Mashable.
Major websites like Google, Microsoft, Twitter and Facebook are safe but Yahoo is in the vulnerable group, according to a tool on Filippo Valsorda that helps find if a site is vulnerable to the Heartbleed bug.
Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now.
— Yahoo Inc. (@YahooInc) April 8, 2014
"If a website is vulnerable I could see things like your password, banking information and healthcare data, which you were under the impression you were sending securely to your website," Michael Coates, director of product security for Shape Security, was quoted as saying by Reuters.
How to Fix "Heartbleed" Bug
Chris Eng, vice president of Veracode, told Reuters that thousands of web and email servers should be patched at the earliest to avoid the attack of hackers, who may try to exploit the vulnerability as it has now gone public.
The sites need to update to safer version of OpenSSL, besides getting new security certificates and generating new encryption keys for full protection from the bug, says a report by BBC.
"If you need strong anonymity or privacy on the Internet, you might want to stay away from the Internet entirely for the next few days while things settle," suggested Tor Project.
The "Heartbleed" bug, which was introduced to OpenSSL in 2011, has been there since the OpenSSL release 1.0.1 in 2012 but OpenSSL 1.0.1g released on 7 April 2014 can fix the bug, according to Heartbleed website.
Meanwhile, Jamieson Becker has suggested a few steps to fix the bug on his Twitter page.
To FIX Heartbleed: 1. Upgrade OpenSSL 2. Revoke ALL SSL certificates 3. Regen all SSL priv keys 4. Get new certs from SSL vendor — Jamieson Becker (@JamiesonBecker) April 8, 2014
