Security researchers have recently discovered a fatal security vulnerability called Heartbleed in the popular open source web encryption software OpenSSL. As many as two out of every three web servers in the world depend on OpenSSL technology for encryption and already Yahoo, Imgur, Flickr and Lastpass have confirmed that they were affected. Fortunately, Apple, Google, Microsoft along with major e-banking services appear to unaffected.
The flaw allowed hackers to trick servers into transmitting the contents of its active memory, which could contain valuable information such as personal data, password and credit card details and more. What is more worrying is that researchers have found that hackers exploiting this bug would leave zero traces and could steal vital and valuable data without using any privileged information or credentials. This makes breaches hard to detect and even harder to trace.
What's more damning is that this vulnerability has been existence of over two years and it is unclear how many people know about it and for those who do, how long they have been exploiting it.
An emergency patch has since been released, but it is unclear at this point how effective they are and how long it will take for things to settle. The patch is said to be useless if the private keys were already compromised. A surer fix seems to be for servers to reset their certificates, but that is time consuming and expensive.
ICSI security researcher Nicholas Weaver said, "It is catastrophically bad, just a hugely damaging bug." and believes that the problem would not go away and that they would still be vulnerable servers a year from now.
As of now, there is little that users can do to protect themselves as affected websites need to be fixed first before users can meaningfully change their passwords. If not, the password would just be compromised again. That said, once an affected website has confirmed that they were affected and have taken the necessary times to rectify the problem, users should then immediately change their password on that website.
To find out more about Heartbleed, hit the various sources below.