It seems like we have been living peacefully without majar online security flaw, however a bug called “HeartBleed” has been revealed earlier this week.
What is HeartBleed ?
This “HeartBleed” bug could let attackers gain access to users’ passwords and fool people into using bogus versions of Web sites. Some already say they’ve found Yahoo passwords as a result.
The problem, originated from the famous open source, “OpenSSL” that’s widely used to encrypt Web communications. Heartbleed can reveal the contents of a server’s memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server’s digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.
This isn’t simply a bug in some app that can quickly be updated – the vulnerability is in on the machines that power services that transmit secure information, like Facebook and Gmail.
“We were able to scrape a Yahoo username & password via the Heartbleed bug,”tweeted Ronald Prins of security firm Fox-IT, showing a censored example. Added developer Scott Galloway, “Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail…TRIVIAL!”
Here are a few things you can do now
Steps as a web hosting or server admin has to take –
- Update to patched OpenSSL packages
- Regenerate a new SSL certificate if you are using one.
Steps as a user has to take –
- Change your password (gmail, facebook, whatever online services)
- Tell your friends about it.