A major online bug called CVE-2014-0160, more popularly known as “Heartbleed”, allows hackers to retrieve data from online services and websites. The bug was recently found by Neel Mehta of Google’s security team with a team of engineers from security company Codenomicon.
To those who know how to work around it, Heartbleed can reveal the contents of a server's memory—and this is where the most sensitive data is stored. This makes private data such as passwords and credit card numbers available to third parties. Hackers can also gain access to a server's digital keys, and then use it to decrypt information and communications from the past, and potentially the future.
Particularly prone to the bug are online services that use OpenSSL, which secures sites that use HTTPS encryption to keep data protected.
The good news is that the bug has affected only certain versions of OpenSSL so far—versions 1.0.1 and 1.0.2 beta—and fixes for these have already been issued. The bad news is that the bug was only recently discovered while the vulnerable OpenSSL versions have been in use for two years. There is no way to tell which kinds of data hackers have already collected and used through Heartbleed.
Social and blogging service Tumblr has released a note advising its users to change all their passwords immediately. Software developers and online security companies are looking into the extent of the bug, with some reporting that through Heartbleed they were able to access hundreds of Yahoo usernames and passwords.
Yahoo and several other affected sites have issued statements letting users know that they have updated their codes and have taken care of the situation. It is predicted that many websites will take a while to protect themselves from possible Heartbleed breaches as this will entail rewriting codes and revoking security certificates.
Heartbleed Bug Explained
Image via YouTube