Huge 'Heartbleed' bug threatens internet security

Puts personal information at risk - what do you need to do?


Heartbleed bug

Computer security researchers have uncovered a bug that makes many of the world's biggest websites vulnerable to hackers.

The Heartbleed vulnerability affects a popular data encryption standard called OpenSSL that is designed to keep user information safe on the web. It encodes information so that, to anyone without the correct key, the data looks like random nonsense.

However, every now and again, the system sends out what's known as a 'heartbeat' - a small packet of information designed simply to check that there is another computer at the end of the line. And researchers from Google and security firm Codenomicon have now discovered that it's possible to disguise a data-stealing message so that it appears to be such a heartbeat.

"We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace," reports Codenomicon. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

As a result, hackers could, for example, tap into 'secure' communications from online shoppers that include banking information. They could even steal the encryption keys themselves. "These are the 'crown jewels', and could be used by malicious hackers to do even more damage, without leaving a trace," says security expert Graham Cluley.

More than two-thirds of websites worldwide are based on OpenSSL, making virtually every computer user potentially vulnerable.

"OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the internet," warns Codenomicon. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL."

The vulnerability has now been closed, and businesses are scrambling to update their software. But patching the bug and changing security certificates could take months. And, because any attack based on the bug is untraceable, security experts are warning that user data could already have been compromised.

Users are being warned that they should change their passwords - although they shouldn't do so until sites have patched the problem. Yahoo, one of the biggest sites to be affected, has already done so; users can check the status of other sites here.

Revealed: The 10 most common scams

Revealed: The 10 most common scams