This site uses cookies to improve your experience and to provide services and advertising. By continuing to browse, you agree to the use of cookies described in our Cookies Policy. You may change your settings at any time but this may impact on the functionality of the site. To learn more see our Cookies Policy.
Dublin: 1 °C Saturday 18 January, 2020

'Heartbleed' security bug leaves encrypted web servers at risk

The bug can reveal the contents of a server’s memory – where sensitive data like usernames, passwords and credit card numbers is stored – and allows attackers to steal info without a trace.

MILLIONS OF WEB servers worldwide have a software flaw which lets attackers access the security keys used to secure online commerce and web connections.

The bug, named Heartbleed, is in open source software called OpenSSL which is widely used to encrypt web communications. The bug can reveal the contents of a server’s memory - where sensitive data like usernames, passwords and credit card numbers is stored.

It allows attackers to eavesdrop on communications, steal data directly from the servers and users and to impersonate services and users. The bug was discovered by a team of security engineers at Codenomicon and Google Security researcher Neel Metha, who first reported it to the OpenSSL team.

It is unclear how widespread the bug is since attackers leave no trace, something the team of security engineers confirmed when they tested the bug by attacking their own services.

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

According to the researchers who discovered the bug, the bug has been present in version of OpenSSL for two years and the latest version, which was released on 7th April, is no longer vulnerable to the bug.

Another developer has published a tool which lets people check websites for Heartbleed vulnerability. Major sites like Facebook, Twitter, Amazon and Google are not affected by the bug, but others like Yahoo and OkCupid are still vulnerable.

Read: This huge security flaw affects (nearly) all iPhones, iPads, and Apple computers >

Read: Security flaw on Android version of WhatsApp could leave user chats exposed >

  • Share on Facebook
  • Email this article

About the author:

Quinton O'Reilly

Read next: