Thursday, 10 April 2014

‘Heartbleed’ encryption flaw leaves millions of sites at risk

A flaw in an encryption technology used to protect major websites including Yahoo has left a huge amount of private data at risk – researchers advise internet users to change all their passwords.

The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It afffects the open-source encryption software OenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.

Threatpost says that the vulnerability has affected major sites including password manager LastPass and the FBI’s web presence, and says, “Attacks can leak private keys, usernames and passwords and other sensitive data, and some large sites, including Yahoo Mail and others, are vulnerable right now.” Threatpost says that a proof-of-concept exploit for the bug has already been posted on coding site Github.

The researchers who discovered Heartbleed say that it has left private keys, and other secrets exposed “for years”. The researchers tested the vulnerability themselves, “We have tested some of our own services from an attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”

The bug was discovered by researchers from Finnnish firm Codenomicon working with Google. A dedicated website heartbleed.com helps to explain some of the risks – although the researchers admit they do not know how widely the bug has been exploited.

“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”