Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords

What's This?

Image: Flickr, Intel Free Press

By Adario Strange2014-04-09 00:06:37 UTC

Some websites running SSL encryption were exposed to a major security bug called Heartbleed on Monday.

The bug was reportedly discovered by a member of Google's security team and an organization called Codenomicon.

See also: Web Security: Why You Should Always Use HTTPS

Affecting web servers running Apache and Nginx software, the bug has the potential to expose private information users enter on websites, applications, web email and even instant messages.

And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information. The name "heartbleed" comes from the bug's ability to intercept the pulse, like a heartbeat, sent back and forth between a user and a website during SSL authentication.

A security patch for the bug at the same Heartbleed was announced on Monday, but many websites are still playing catch up. That's why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.

One of the messages on the Heatbeat homepage, a site created to address the bug, states:

[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content... As long as the vulnerable version of OpenSSL is in use it can be abused.

So far, some of the services and websites that have confirmed an OpenSSL software security update include WordPress, Amazon Web Services and others.

However, a number of other websites may, according to a list being distributing on GitHub, may still be vulnerable, including Airbnb, Pinterest, USMagazine.com, Nasa, Flickr, Yahoo and Creative Commons, among others. This also includes sites that have been scanned and deemed safe, including Google, Tumblr, FourSquare and Evernote.

In the meantime, while websites are installing the latest version of OpenSSL to fix the bug, it would be a good idea to wait for confirmed updates on your favorite websites and services and then change your password, just to be as safe possible.

Have something to add to this story? Share it in the comments.

Topics: Apps and Software, security, software, ssl, Tech