83°F
Sponsored by

Heartbleed Bug: What You Need to Know

Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web -- the one that keeps your email, banking, shopping, passwords and communications private.

(CNN) -- A major online security vulnerability dubbed "Heartbleed" could put your personal information at risk, including passwords, credit card information and e-mails.

Heartbleed is a flaw in OpenSSL, an open-source encryption technology that is used by an estimated two-thirds of Web servers. It is behind many HTTPS sites that collect personal or financial information. These sites are typically indicated by a lock icon in the browser to let site visitors know the information they're sending online is hidden from prying eyes.

Cybercriminals could exploit the bug to access visitors' personal data as well as a site's cryptographic keys, which can be used to impersonate that site and collect even more information.

It was discovered by a Google researcher and an independent Finnish security firm called Codenomicon. The researchers have put up a dedicated site to answer common questions about the bug. They even gave it an adorably gruesome custom icon.

Heartbleed is the result of a small coding error but it could have far-reaching consequences and affect the majority of Internet users.

Researchers discovered the issue last week and published their findings on Monday, but said the problem has been present for more than two years, since March 2012. Any communications that took place over SSL in the past two years could have been subject to malicious eavesdropping.

What makes the bug particularly problematic is that there is no simple fix. Action needs to be taken by both the compromised sites and individuals who have visited them.

To protect their user data and encryption keys, sites must upgrade to the patched version of OpenSSL, revoke compromised SSL certificates and get new ones issued.

Many major websites including Google, Facebook, Yahoo, Amazon and Steam have said they've taken steps to secure their sites. Security researchers demonstrated the flaw by stealing Yahoo e-mail logins on Tuesday morning, but Yahoo has since fixed the issue across its major sites, including Tumblr.

It's not just an issue for major sites. Smaller online stores and services use OpenSSL, and those sites might take longer to make the necessary fixes. Websites don't typically publicize whether they're using OpenSSL, so the process will also be bumpy for consumers.

Individuals should update their passwords across the various Web pages they use, but only once they have confirmed a site has already taken the proper measures to address Heartbleed. If they don't and that site is still at risk, the new password could also be compromised. Many sites will also likely send e-mails instructing customers to update passwords if necessary.

NEW YORK (CNNMoney) -- Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web -- the one that keeps your email, banking, shopping, passwords and communications private.

Here's what you need to know.

What is it?

It's called the Heartbleed bug, and it is essentially an information leak.

It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there's a good chance that site is using the encryption software that was impacted by the Heartbleed bug.

What does it do?

Heartbleed allows outsiders to peek into the personal information that was supposed to be protected from snoopers.

The bug allows potential hackers to take advantage of a feature that computers use to see if they're still online, known as a "heartbeat extension." But a malicious heartbeat signal could force a computer to divulge secret information stored in its memory, including keys to an encryption tool that turns your credit card information and passwords into indecipherable code.

Once a hacker has the keys to the encryption software, it's game over -- usernames, passwords, bank information and all the other data that you thought were safe are potentially up for grabs. Making matters worse, the Heartbleed bug leaves no traces -- you may never know when or if you've been hacked.

"You could watch traffic go back and forth," said Wayne Jackson III, CEO of open source software company Sonatype. "This is a big deal. When you think about the consequences of having visibility into Amazon and Yahoo, that's pretty scary."

Who does this affect?

Most major websites are targets, because they rely on this program. A survey conducted by W3Techs show that 81% of sites run on web server programs Apache and Nginx, and both are vulnerable to the Heartbleed bug.

Many popular sites, including Amazon, Yahoo and OKCupid, use those encryption tools. Yahoo, Amazon and OKCupid have updated their websites with a fix for the bug, but many others have not patched their sites yet.

What can I do?

Not much, unfortunately -- the websites themselves need to update to a new version of the encryption software to fix the bug. That's why changing all your passwords right away isn't a good idea. Websites are all racing to fix the issue, and if you act too quickly, you might change your password on a site that is still vulnerable.

Italian cryptographer Filippo Valsorda launched the "Heartbleed Test," which purports to tell you if websites are still compromised.

Page: [[$index + 1]]
comments powered by Disqus

More News