Heartbleed Bug Leaves E-mails, Passwords, Instant Messages, and Private Information Vulnerable
In the afternoon of April 7th, news of a serious security flaw in the way our e-mails, instant messages, and passwords are handled by two thirds of the world’s websites caused quite a stir across the Internet.
According to a group of security researchers who discovered the bug, a coding mistake in an update to OpenSSL released in 2012 may have allowed hackers to extract data from an affected web server’s memory, potentially exposing everyone’s usernames, passwords, and other sensitive information. The flaw may have also given hackers access to the very encryption keys used to establish secure connections between websites and their users.
Making matters worse is the fact that any breach made using the bug leaves no trace, making it virtually impossible to tell whether an account has been compromised or not until it’s too late.
Some of the biggest websites and services affected include Dropbox, Facebook, Flickr, Google, GoDaddy, Gmail, Instagram, Imgur, LastPass, Pinterest, Tumblr, Twitter, Yahoo, Yahoo Mail, and Youtube.
It’s a serious flaw and everyone’s itching to change passwords, but experts suggest that users refrain from accessing their accounts or changing their passwords until after the affected websites have had time to deploy fixes to their servers.
Fortunately, most of the major web services were quick to apply fixes to their affected servers and services, but we’re not out of the woods yet as OpenSSL is likewise used in internet-connected appliances such as WiFi routers, Smart TVs, DVD players, personal computers, and mobile devices. Google admitted that millions of Android smartphones and tablets running version 4.1.1 of its mobile Operating System are vulnerable. While major websites were able to quickly deploy patches to plug the security hole, it’s a completely different story for smartphones and tablets, where critical software updates are at the discretion of carriers and manufacturers like Samsung.
Discovered by a team of researchers from Google and Finnish company Codenomicon, the bug was dubbed “Heartbleed” because the faulty code was found in OpenSSL's implementation of the TLS/DTLS “Heartbeat” extension, which when exploited leaks the memory contents of the affected server. Its official reference is CVE-2014-0160.
Heartbleed Bug Frequently Asked Questions (FAQ)
What is Heartbleed Bug?
It’s a fatal flaw in the way your browser talks to a website over a secure connection. An attacker could hypothetically exploit the flaw to extract data on the web servers used by banks, e-commerce sites, and other sensitive networks to steal passwords and other private information.
Is there a way to check if my accounts are affected?
Due to the nature of the bug, there is no absolute way to know if your account has been compromised. Given that the bug has been in the wild for roughly 2 years, your safest bet is to assume that your accounts have been exposed. We suggest going over your bank records to check for any suspicious activity.
Should I change my passwords?
Yes, but only after you have been advised by the affected website or service that a fix has been deployed. Changing your passwords before the bug has been patched will leave your new password vulnerable.
I don’t like changing passwords regularly because I always forget them. Is there an easier way?
There are several password managers available that will help you manage multiple passwords. Options include Passpack, KeePass, and 1Password.
I was told by my bank to use a secure/strong password. What is a secure/strong password and how do I make one?
A strong or secure password:
- is at least 8 characters long
- contains a combination of uppercase and lowercase letters
- includes non-sequential numbers
- has at least 1 symbol found on a keyboard
- does not include your username, name, birthday, or anniversary
- is significantly different from any of your previous passwords
Most of the services I use are affected. Which ones should I prioritize in changing passwords?
Start with the website or service that has completed the deployment of a fix. If they’re all fixed at the same time, prioritize your bank account passwords followed by your e-mail accounts.
Is there a way to check if a specific website is affected?
Yes, there is. Visit http://filippo.io/Heartbleed/ or http://tif.mcafee.com/heartbleedtest for details.
How do I know which websites use OpenSSL?
Look at the address bar on your browser when you visit a website. If you see a padlock icon with https beside it, then that website uses OpenSSL.
Should I avoid all websites using OpenSSL?
Not necessarily. When the bug was made public, a fix was simultaneously deployed. As such, a good number of the affected websites were patched immediately. Many other websites are also being plugged. Moreover, the latest version of OpenSSL is no longer vulnerable.
I read that Android smartphones and tablets are also affected. How do I check my own device?
Go to the Google Play Store and search for an app called, “Heartbleed Detector” from Lookout Mobile Security. The app should be able to check your Android device for the vulnerability.
Is ID Superstore affected?
At ID Superstore, we take data security seriously. When we learned of the bug that affected roughly two thirds of the web, we immediately conducted an audit of our online assets and found no evidence of any vulnerability affecting our e-commerce website. Our hosting provider has likewise been proactive in doing an independent review of their infrastructure for any vulnerability and has applied appropriate patches when necessary.