Massive Security Flaw Left Much of Internet Exposed

'Heartbleed' bug has affected OpenSSL protocol for 2 years

By Rob Quinn,  Newser Staff

Posted Apr 9, 2014 5:12 AM CDT | Updated Apr 9, 2014 7:59 AM CDT
Share on Facebook Share on Twitter Share via Email

(Newser) – A major flaw in one of the Internet's chief security methods has exposed users' confidential information to hackers for the last two years, security researchers revealed Monday night. The "Heartbleed" bug affects the OpenSSL security protocol used by some two-thirds of websites to protect sensitive data as it moves back and forth. Major websites are scrambling to fix the problem (Yahoo did so yesterday), reports the BBC, but experts suggest users change their passwords as soon as they are sure the sites they use are secure—or even avoid the Internet for a few days. "I would change every password everywhere," one tells the AP.

The bug (which a cryptographer describes as the "result of a relatively mundane coding error") allows hackers to pull 64k of memory, at random, from a server—and since the attacks leave no trace, hackers can "go fishing" over and over again for sensitive data like passwords and bank details, the Verge explains. It's not clear how widely the bug was exploited, but the security hole means the "little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit," the security team at Tumblr wrote in a blog post. For now, users should make sure to log out when they finish using a website, the chief of content delivery network Cloudflare tells the Huffington Post, adding that the bug "is so serious—it's such a big, bad event—that almost every major service is scrambling to clean it up as quickly as possible" and most major sites should be patched by the end of the week. More on how to protect yourself here.

The bug has been called Heartbleed because it hits the heartbeat that pings messages back and forth.
The bug has been called "Heartbleed" because it hits the "heartbeat" that pings messages back and forth.   (
« Prev« Prev | Next »Next » Slideshow

Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there. - David Chartier, Codenomicon

« Prev« Prev | Next »Next » Slideshow
To report an error on this story, notify our editors.

Other Sites We Like:   The Street   |   HitFix   |   PopSugar Tech   |   RealClear   |   24/7 Wall St.   |   The Frisky   |   Owler