NEW YORK – A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.
The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google, and Amazon Web Services, said they were fixing the problem or had already fixed it.
Researchers were still looking at the impact on consumers but warned it could be significant. Users’ most sensitive information – like passwords, stored files, bank details, even Social Security numbers – could be vulnerable because of the flaw.
“This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” the security team at Tumblr, which is part of Yahoo, wrote on their site.
The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Change a password on a site that hasn’t been fixed, and you could be handing the new password over to hackers. So before you do anything, they recommended, research a site to see if it has dealt with the issue. If it has, make the change.
The exact extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on the problem.
There is no indication that hackers have used the flaw to steal information, although it has existed for about two years. On Github, a website where developers gather to share code, some were posting ways to exploit the bug. The Finnish security researchers, working for Codenomicon, a security company headquartered in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol – the basic security that encrypts sessions between consumer devices and websites – called the “heartbeat” because it pings messages back and forth. The researchers called the bug “Heartbleed.”
“It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”
Organizations were advised to immediately download the newest version of the OpenSSL protocol, which included a fix, and quickly swap out their encryption keys. It also meant organizations needed to change their corporate passwords, log out users and advise them to change their own passwords.
Then companies began taking inventory of what they may have lost. But because the flaw would allow attackers to surreptitiously steal the keys that protect communication, user passwords and anything stored in the memory of a vulnerable web server, it was virtually impossible to assess whether damage had been done.
Security researchers say they found evidence that suggests attackers were aware of the bug. Researchers monitoring various “honey pots” – stashes of fake data on the web aimed at luring hackers so researchers can learn more about their tools and techniques – found evidence that attackers had used the Heartbleed bug to access the fake data.
If there were actual victims, they would be out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Chartier said. “That’s what makes it so vicious.”
Chartier advised users to consider their passwords gone and said companies should deal with the issue right away if they had not already. “Companies need to get new encryption keys and users need to get new passwords,” he said, adding: “And do it quickly.”
Security researchers are also warning people to start changing their passwords, particularly for sensitive accounts like their online banking, email, file storage and e-commerce accounts.