Security flaw Heartbleed makes top sites vulnerable

By Danielle Middleton topicIcon Internet News

What is Heartbleed and why is it so bad?

Since Monday the Internet has been rife with talk of the Heartbleed bug, what it has affected and how end users can try and protect themselves.

The Heartbleed bug is an encryption flaw that has exposed a number of widely used websites and apps, and has been termed as the biggest security threat the modern Internet has experienced. Heartbleed is not a trivial thing, it has made websites vulnerable and as a result it is best to temporarily avoid those sites affected as well as creating new, unique passwords for those accounts.

What is Heartbleed?

At the root of Heartbleed is encryption; the need to ensure that the information sent from your computer to any correspondent, site or app, is secure and your privacy is protected.

Heartbleed is a security vulnerability that has affected those sites and apps using OpenSSL, an open-source protocol that is estimated to encrypt over 66 per cent of the web. It is used to protect usernames, passwords and private information on secure websites.

Since the discovery of the bug, it has become the responsibility of those sites and apps using OpenSSL to update their servers with a security patch to fix the issue. However, until a site does this there is no guarantee that information is not compromised, or that it had not been accessed before addressing the issue.

In an article by The Verge, the online magazine explained how Heartbleed works:

"The bug allows an attacker to pull 64k at random from a given server's working memory. It's a bit like fishing -- attackers don't know what usable data will be in the haul -- but since it can be performed over and over again, there's the potential for a lot of sensitive data to be exposed. The server's private encryption keys are a particular target, since they're necessarily kept in working memory and are easily identifiable among the data. That would allow attackers to eavesdrop on traffic to and from the service, and potentially decrypt any past traffic that had been stored in encrypted form."

How can you protect yourself?

Thus far, the following websites and apps are known to have been affected by Heartbleed:

  • Facebook
  • Tumblr
  • Google
  • Yahoo
  • Gmail
  • Yahoo Mail
  • Amazon Web Services
  • Intuit (Turbo Tax)
  • Dropbox
  • LastPass
  • OKCupid
  • SoundCloud
  • Wunderlist

There remain a number of sites that have yet to confirm whether they use OpenSSL, and if users should change their passwords or not. The only way Internet users can currently attempt to protect themselves from Heartbleed, is by discovering which sites have been affected by the bug and changing the password accordingly.

Daniel Nolan, managing director at theEword said: "Internet privacy and security has been a hot topic since last summer's NSA revelations, the worry with the Heartbleed bug is that even the encryption software that is meant to protect users can be vulnerable. The only thing to be done at this point is keep an eye on which sites have been affected and ensure more than ever that you are regularly changing your passwords."