A major security vulnerability has been discovered affecting millions of web servers around the world, which could pose major risks to web users. A fix has been issued and firms are urged to check their systems and apply it urgently.
The Heartbleed bug, as discussed in the video below, affects encryption software called OpenSSL that is used by open-source web servers such as Apache and Nginx. Around 66 percent of all sites are hosted on such servers, underlining the scale of the threat posed.
OpenSSL is an open-source implementation of the secure sockets layer (SSL) and transport layer security (TLS) protocols by which email, instant messaging, and some virtual private networks (VPNs) are kept secure.
Researchers with a Finnish company called Codenomicon discovered the vulnerability and provided a detailed overview of the threat it poses.
“The Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” it said.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
The firm outlined the scale of the issue by warning that sites of any size could be affected: “Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.”
The security firm added that it is unclear if attackers have abused the vulnerability.
A researcher from Google Security also uncovered the issue around the same time and reported it to the OpenSSL team, Codenomicon acknowledged.
Google said it has already taken action to protect its sites from the issue.
“The security of our users’ information is a top priority,” Google said in a statement to Bloomberg Businessweek. “We proactively look for vulnerabilities and encourage others to report them precisely so that we are able to fix them before they are exploited. We have assessed the SSL vulnerability and applied patches to key Google services.”
Security firm Qualys has reacted quickly to the issue and released a free tool to help businesses check if their websites are affected by the issue. Ivan Ristic, director of engineering at Qualys, said finding out if a site is at risk is vital.
“The Heartbleed vulnerability is easy to exploit and there are already many proof-of-concept tools available that one can use in minutes,” he said.
“After a successful attack, the attacker can obtain a large chunk of server memory, which can contain server private keys, session keys, passwords and other sensitive data. IT administrators need to map their exposure and install the patched version wherever necessary.”
FireEye threat intelligence analyst Aaron Charrington said the firm had already seen communities online discussing the vulnerability and sharing information on who could be targeted.
"FireEye has observed several different lists being posted to GitHub and Pastebin monitoring what sites are vulnerable, not vulnerable, and not running SSL on their web servers," he said.
He urged firms to carry out all necessary actions to check if they are affected. "Organisations should preform network scans as soon as possible. Organisations need to identify if any of other devices may be running OpenSSL as well. This could include appliances, wireless access points, routers, or pretty much anything else that may use SSL," he said.
"As an example, several different types of voice over IP (VoIP) phones used in the corporate environment run SSL. For these other devices, organisations may need to work with their vendors to apply a patch, firmware or solution."
The incident poses new questions about the security of the web and underlines the threats faced by citizens who entrust their data to tech giants. Symantec reported on Tuesday that 552 million users were affected by giant data breaches in 2013, as criminals find new ways to steal personal data.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance