Heartbleed bug may expose your private data

Your password, email and other data on secure websites may be unsafe due to a "serious vulnerability" in a popular software code used to encrypt internet communications.

What you need to know about the serious bug affecting 'secure' internet services

The Heartbleed bug was found in a popular version of OpenSSL software code used by over two-thirds of active websites on the internet to provide secure and private communications (Shutterstock)
A "serious vulnerability" has been found in the software that often encrypts your user name, password and banking information when you log into "secure" websites, as indicated by the little lock icon in your browser.

The "Heartbleed bug" has the potential to expose huge amounts of private data, including user names, passwords, credit card numbers and emails, since it was found in a popular version of OpenSSL software code. The code is used by over two-thirds of active websites on the internet to provide secure and private communications, reported a website set up by security researchers to provide information about the bug.

The software code is also used by many email and chat servers and virtual private networks.

The bug allows "anyone on the internet" to read the memory of systems protected by the bug-afflicted code, compromising the secret keys used to encrypt the data, the researchers reported.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users."

Tests by the security researchers who discovered the bug showed that eavesdropping via the bug is undetectable.

"Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," they wrote.

The bug was discovered independently by security engineers at the Finnish internet security testing firm Codenomicon and Neel Mehta of Google Security. It is found in a version of the code that has been used by internet services for more than two years.

The researchers say they don't know if any cybercriminals have discovered and exploited the bug.

Patched version available

A patched version of the software code was released Monday when the bug was disclosed, but it still needs to be incorporated into the actual operating systems and software that use it. Then it must be installed by the owners of the affected internet services. All that may take some time.

Meanwhile, as a user, what can you do to ensure the web services you're using are safe? Italian security researcher Filippo Valsorda has created a tool that lets you check whether a website has the Heartbleed vulnerability.

Valsorda noted that the site sometimes generates a false negative, probably because it is overloaded, but testing a vulnerable site over and over will eventually give a positive result. "The red result takes precedence over all the others and is certain," he wrote.

Yahoo patching its services

As of Tuesday morning, the tool suggested that Google, Microsoft, Twitter, Facebook, Dropbox, and Amazon remain safe, but Yahoo.com is vulnerable.

"Please take immediate action," the site says, directing users to the Heartbleed FAQ.

By 3 p.m. ET, Yahoo said it had successfully patched the bug on its homepage, search, mail, finance, sports, food, tech, Flickr photo and Tumblr blogging services.

"We are working to implement the fix across the rest of our sites right now," a Yahoo spokesperson wrote in an email.

The official name of the Heartbleed bug is CVE-2014-0160, and it affects OpenSSL versions 1.0.1 to 1.0.1f, but not earlier or later versions. It was nicknamed "Heartbleed" because it was found in a part of the code called the "heartbeat extension."

Entering Yahoo.com into security consultant Filippo Valsorda's Heartbleed Test website suggests that it is vulnerable to the bug.

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.