A new alarming vulnerability, entitled Heartbleed, has been found to compromise OpenSSL services. Not only is it able to access servers on sites that use OpenSSL and siphon information on users en masse, but it can potentially create dummy servers to further gain information from users, and decrypt data now and in the future.
It was a shocking revelation. The bug, codenamed Heartbleed, is officially designated CVE-2014-0160 from the joint Codenomicon-Google group that discovered it. They found that is affects both Apache and nginx, which account for a stark majority of websites.
However, testing has specifically been done so far on Yahoo. Their multiple features, such as mail and search, were already found to be affected. Within minutes of using a program to exploit the Heartbleed bug, they were able to access hundreds of usernames and passwords.
Within hours of hearing about this, Yahoo confirmed that they were aware of the issue, and working to fix it. They since claim the vulnerability has been patched, and no further risk exists. But that is only a single website, and if people had connected accounts and recycled passwords, there is a definite problem.
This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users, a statement from Codenomicon said.
For obvious reasons, speculation has immediately begun over the potential for NSA and other agencies using this as a backdoor for surveillance. Indeed, it seems like a likely source of the initial bug.
What Can Be Done?
This is a hard question to answer, because little information yet exists on where this might have come from, or exactly what sites are being affected. But that is one place to start.
You can see if a site has been affected using this tool. If a site is found to be suffering from vulnerabilities, don’t use it until the problem has been patched. You may want to contact the site to let them know there is an issue.
In the meantime, definitely change your passwords over at Yahoo, if you have an account. If you were sharing passwords from one site to the next, consider switching them all to different, more secure ones.
Sadly, there isn’t much else that can be done. Hopefully, it will be enough for the average user.