'Catastrophic' web security flaw exposes passwords, private data

Major internet companies like Yahoo and Amazon scrambled to update their networks this week after security researchers discovered a critical flaw that could expose user emails, passwords, and other sensitive data. The flaw involves a coding error in an encryption standard called OpenSSL that is used by half a million websites.

OpenSSL employs an encryption key to scramble and decode passwords and other critical information sent over the internet for services like online banking, email, and instant messaging. Users can normally tell that a website is using encryption if they see a small padlock displayed in their browser.

But on Monday, a team of researchers from Google and cybersecurity firm Codenomicon revealed that, for some websites, that padlock may have been faulty for the past two years. Using some malicious code, a hacker could have intercepted email passwords, usernames, online banking credentials, trade secrets, and other critical data from websites using OpenSSL.

Since the attack would leave no trace, experts say they have no idea which websites may have been hacked—if any—or how many people may have been affected.

“You are likely to be affected either directly or indirectly,” they wrote, nicknaming the problem the “Heartbleed” bug. “Your popular social site, your company’s site, commerce site, hobby site, site you install software from, or even sites run by your government might be using vulnerable OpenSSL.”

On Tuesday, multiple Web services announced they had either fixed the problem or were in the process of doing so. Yahoo said it was working on patching the flaw across its web properties, including Flickr and Tumblr. (Earlier, researchers demonstrated how they could exploit Heartbleed to extract dozens of Yahoo user passwords.) Amazon Web Services, Google, and Facebook said they had fixed the issue. However, there is no way to tell whether sensitive data has been stolen in the past.

To fix the Heartbleed flaw, web technicians simply need to upload the latest, patched version of OpenSSL. Since the vulnerability left open the possibility that a hacker could have stolen an encryption key, allowing him to decrypt past data sent over some websites, experts advised websites to update their security keys as well. They also advised website users to change their passwords—but only after the Heartbleed bug has been patched.

“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue,” wrote the Tumblr staff on Tuesday. “This might be a good day to call in sick and take some time to change your passwords everywhere.”

Jonathan Bailie, a Web administrator for WORLD, told me the organization hadn’t identified any security vulnerability to members on its network. “We do not store financial information on our website,” he said.

At least one expert speculated Wednesday morning that government intelligence workers might have made use of the bug. “At this point, the odds are close to one that every target has had its private keys extracted by multiple intelligence agencies,” wrote security researcher Bruce Schneier. “‘Catastrophic’ is the right word. On a scale of one to 10, this is an 11.”

Listen to Daniel James Devine discuss the Heartbleed bug with Joseph Slife on The World and Everything in It: