Bleeding Hell! Bug 'HeartBleeds' User Details, Resarchers Warn

Written by Oonagh Reidy     10/04/2014 | 12:15 | Category: INDUSTRY

Software bug could bleed users personal info

Bleeding Hell! Bug A long standing Open SSL bug, called Heartbleed, has been uncovered, which could expose user's private data to online hackers.  

The software vulnerability affects the way most websites and online services secure your communication, allowing hackers to "heartbleed" your personal info. 

An attacker can 'heartbleed' to read the memory of systems protected by OpenSSL. This exposes the secret keys used to encrypt traffic, names and passwords. 

The bug opens the door for attackers to eavesdrop on web communications, steal data directly from websites or users, say researchers. It could even allow hackers impersonate a user.

Websites using OpenSSL have a small padlock icon in the browser address bar or the 's' added to the 'http' prefix, are being targeted using this vulnerability. 

Researchers claim to have found all sorts of stuff, including usernames, passwords, server encryption keys, and more, while 'heartbleeding." 

Around two-thirds of websites and many other services currently use affected versions of OpenSSL (Open Secure Socket Layer)," warns Australian Government Stay Smart Online website.  

Yahoo had been hit by the bug which is now fixed. Other companies should also be updating their OpenSSL and renewing certificates to address the issue.

Should you change your password?

Perhaps not, says Security expert, Paul Ducklin from Sophos Labs. 

"There is one important reason why you might not want to rush out and change all your passwords on all your services right this minute, and it's a sort-of Catch-22. If you need to change your password on a server that is at risk due to heartbleed, then the new password you choose may be at risk due to heartbleed.

There are a lot more people ready to heartbleed your new password right now than there were a week ago, he says. 

"We suggest you wait until you know that a site is not vulnerable, for example because it makes a clear statement to that effect, or use a public testing service that connects to a website to estimate whether it's safe or not first." 

What can you do?

According to the Stay Safe Online website: 

Each website or service needs to be fixed by its administrator and users should contact a website or service provider and ask them if the issue has been addressed.

Once this is done, you should also consider changing your password for any accounts you have on affected sites -particularly if they relate to sensitive, personal or financial information.

Affected websites may begin to notify users to change passwords, but there is no guarantee websites will do this.

If you are a business who operates a website, you should be taking steps to address this issue.