Many of the websites you use at home and in the office are vulnerable to hacking, according to researchers who uncovered a security flaw in OpenSSL, the open-source software that is used to encrypt online communications. Websites and apps that encrypt data with a password likely use OpenSSL, and the cryptographic library is used to secure the servers that work with more than 66 percent of active websites on the Internet.
The bug, dubbed “Heartbleed,” allows a hacker to easily trick a server running OpenSSL into revealing decryption keys stored on a server’s memory. With those keys, a hacker can eavesdrop on encrypted communications, directly steal sensitive information and impersonate users and services.
“Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL,” warned Codenomicon, the cybersecurity firm that found and published information about Heartbleed on Monday night.
In tests, Codenomicon was able to access its own usernames and passwords, instant messages, emails and documents. Since Heartbleed leaves no trace, every network administrator has to assume their system has already been compromised.
The firm explained that the bug exploits an OpenSSL feature known as “heartbeat,” which is how the bug got its name. Heartbleed has existed on all versions of OpenSSL for more than two years and leaves no trace in server logs when it’s exploited.
“Bugs in single software or library come and go and are fixed by new versions. However this bug has left large amount of private keys and other secrets exposed to the Internet,” Codenomicon said in a detailed explanation of Heartbleed. “Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously.”
The good news is that OpenSSL released an emergency patch to protect against Heartbleed.
“Operating system vendors and distribution, appliance vendors [and] independent software vendors have to adopt the fix and notify their users,” Codenomicon wrote in a detailed analysts of Heartbleed. “Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
So far, Codenomicon has no information on whether the Heartbleed exploitation has been used by malicious hackers.