A confounding computer bug called “Heartbleed” is causing major security headaches across the Internet as websites scramble to fix the problem and Web surfers wonder whether they should change their passwords to prevent theft of their email accounts, credit card numbers and other sensitive information.
Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to signify that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock had been closed. Interlopers could also grab the keys for deciphering encrypted data without the website owners knowing the theft had occurred, according to security researchers.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
About two-thirds of Web servers rely on OpenSSL, Chartier said. That means the information passing through hundreds of thousands of websites could be vulnerable, despite the protection offered by encryptions. Beside emails and chats, OpenSSL is also used to secure virtual private networks, which are used by employees to connect with corporate networks seeking to shield confidential information from prying eyes.
Yahoo, Google and Facebook confirmed they had been affected by the OpenSSL flaw and had applied fixes to their systems.
Yahoo, which has more than 800 million users around the world, said Tuesday that most of its popular services had been fixed, but work was still being done on other products that it didn’t identify. The repairs have been made on a list of services that includes its home page, search engine, email, finance and sport sections, Flickr photo-sharing service and its Tumblr blogging service.
Security experts said Yahoo users, in particular, should change their passwords, because that company had not completely patched its software until after the flaw became public. On Tuesday afternoon, while looking for vulnerabilities, researchers reported that they had been able to capture user names and passwords from Yahoo.
Google is so confident that it inoculated itself against the Heartbleed bug before any damage could be done that the Mountain View, California, company is telling its users they don’t have to change the passwords they use to access Gmail, YouTube and other product accounts. More than 425 million Gmail accounts alone have been set up worldwide.
Facebook, which has more than 1.2 billion accountholders, also believes its online social network has purged the Heartbleed threat. But the company encouraged “people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites.”
Twitter and e-commerce giant Amazon say their websites weren’t exposed to Heartbleed.
The folks over at Mashable have also set up a handy list of other services for which you might need to change your password, thanks to Heartbleed.