Security researchers have uncovered a fatal flaw in a key safety feature for surfing the Web — the one that keeps your email, banking, shopping, passwords and communications private.
Here’s what you need to know.
What is it?
It’s called the Heartbleed bug, and it is essentially an information leak.
It starts with a hole in the software that the vast majority of websites on the Internet use to turn your personal information into strings of random numbers and letters. If you see a padlock image in the address bar, there’s a good chance that site is using the encryption software that was impacted by the Heartbleed bug.
“It’s probably the worst bug the Internet has ever seen,” said Matthew Prince, CEO of website-protecting service CloudFlare. “If a week from now we hear criminals spoofed a massive number of accounts at financial institutions, it won’t surprise me.”
What does it do?
For more than two years now, Heartbleed has allowed outsiders to peek into the personal information that was supposed to be protected from snoopers.
The bug allows potential hackers to take advantage of a feature that computers use to see if they’re still online, known as a “heartbeat extension.” But a malicious heartbeat signal could force a computer to divulge secret information stored in its memory.
At the very least, Heartbleed exposes your usernames and passwords. It also compromises the session keys that keep you logged into a website, allowing an outsider to pose as you — no passwords required. And it allows attackers to pose as a real website and dupe you into giving up your personal details.
Making matters worse, the Heartbleed bug leaves no traces — you may never know when or if you’ve been hacked.
“You could watch traffic go back and forth,” said Wayne Jackson III, CEO of open source software company Sonatype. “This is a big deal. When you think about the consequences of having visibility into Amazon and Yahoo, that’s pretty scary.”
Who does this affect?
Most major websites are targets, because they rely on this program. A survey conducted by W3Techs show that 81% of sites run on web server programs Apache and Nginx, and both are vulnerable to the Heartbleed bug.
Many popular sites, including Amazon, Google, Yahoo and OKCupid, use those encryption tools. Those four sites have updated their websites with a fix for the bug, but many others have not patched their sites yet.
What can I do?
Log out of all websites: email, social media, banking — everything. But beyond that, it’s a waiting game. The websites themselves need to update to a new version of the encryption software to fix the bug. That’s why changing all your passwords right away isn’t a good idea. Websites are all racing to fix the issue, and if you act too quickly, you might change your password on a site that is still vulnerable.
Italian cryptographer Filippo Valsorda launched the “Heartbleed Test,” which purports to tell you if websites are still compromised.
Passomatic, a startup that lets you change several passwords at once, said all its partners have made the fix. Among them are eBay, Expedia, Facebook, Hulu, Instagram, Netflix, Reddit, Wikipedia and Yelp.
How quickly will this be fixed?
Undoing the damage that has potentially already been done won’t be easy. Websites are patching the hole, but the job won’t be complete until all websites purge all the old keys they’ve been using to encrypt data.
That means hackers and and potential government spies who were secretly aware of this flaw would have ogotten access to special keys they can use repeatedly until a website revokes them. And there’s where it gets complicated. CloudFlare’s Prince said the encryption system was never meant to dispose lots of keys at once.
“There will be servers that still have this for years,” he said.