MILLIONS OF WEB servers worldwide have a software flaw which lets attackers access the security keys used to secure online commerce and web connections.
The bug, named Heartbleed, is in open source software called OpenSSL which is widely used to encrypt web communications. The bug can reveal the contents of a server’s memory - where sensitive data like usernames, passwords and credit card numbers is stored.
It allows attackers to eavesdrop on communications, steal data directly from the servers and users and to impersonate services and users. The bug was discovered by a team of security engineers at Codenomicon and Google Security researcher Neel Metha, who first reported it to the OpenSSL team.
It is unclear how widespread the bug is since attackers leave no trace, something the team of security engineers confirmed when they tested the bug by attacking their own services.
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.
According to the researchers who discovered the bug, the bug has been present in version of OpenSSL for two years and the latest version, which was released on 7th April, is no longer vulnerable to the bug.
Another developer has published a tool which lets people check websites for Heartbleed vulnerability. Major sites like Facebook, Twitter, Amazon and Google are not affected by the bug, but others like Yahoo and OkCupid are still vulnerable.
To embed this post, copy the code below on your site
have your say