Heartbleed bug turns into web’s security disaster

By  | 

‘Heartbleed’ bug, the so-called security flaw in crucial encryption code, has made headlines this week as the most significant and dangerous vulnerability to ever hit the internet.

According to security researchers, this coding error at the heart of the internet, which has been left undiscovered for the last two years (since March 2012), may have compromised the security of around 66 percent of online sites, exposing users’ personal information.

Attackers could easily exploit this security flaw to steal users’ passwords, credit card details, encryption keys and other sensitive data, without leaving any trace.

Experts claim around two-thirds of the world’s web servers to run the open source software, OpenSSL that contains the flaw, which affects an extension to SSL (Secure Sockets Layer).

SSL is crucial in protecting services like online shopping or banking from eavesdropping, as it protects users from a third party intercepting data during transit to discover confidential information. Heartbleed bug allows the third party to access the memory of the systems protected by the vulnerable versions of the OpenSSL software.

Security expert and chief technology officer of Co3 Systems Bruce Schneier described the Heartbleed bug as “catastrophic”. “On the scale of one to 10, this is an 11.”

Around 500 million sites including the major web companies like Google, Yahoo, and Facebook were affected by this vulnerability, while Twitter, LinkedIn, Amazon, Hotmail and Outlook, eBay, PayPal and Apple’s services remains unaffected. However, Facebook and Google claim to have already patched the flaw before it was publicly disclosed.

Experts note that the Heartbleed bug requires all the sites and services affected by the vulnerability to update their software and their security certificates as a permanent fixture.

Reports point out to lots of speculation that Heartbleed bug to be linked to the Prism online surveillance programme of the US National Security Agency (NSA), while there is no direct evidence.

Although there is confusion on when the passwords have to be changed, some researchers are advising people to change all their passwords, while some claim it to be more harmful revealing old password as well as new password, in case of any middle man.