'Heartlbleed' Bug Threatens Web Encryption, Makes Passwords Vulnerable

| by Jared Keever

A programming flaw in widely used Internet security software may have left thousands of websites vulnerable to having users’ passwords stolen. The glitch has been dubbed “Heartbleed,” and security analysts are still struggling to determine the scope of the problems it may have created.

The Yahoo-owned site Tumblr was the largest website to announce on Tuesday that it had been affected by the bug, according to the Los Angeles Times. Officials at Yahoo urged users to change their passwords for Tumblr as well as all other websites.

The technology website CNET reported that testers were able to exploit the glitch and lift passwords from other Yahoo sites as well.

Yahoo issued a statement Tuesday saying it had repaired the main vulnerabilities. 

"As soon as we became aware of the issue, we began working to fix it,” the statement read. “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now.”

Heartbleed is a vulnerability in OpenSSL technology. That is the encryption technology used by 66 percent of all servers on the public Internet. Analysts have not gone so far as to tell people to stay off the Internet completely, but they have suggested that people stay away from sensitive things like online banking until the flaw is completely understood.

The scope of this is immense," said Kevin Bocek, a vice president at Venafi, a Salt Lake City cyber security company. "And the consequences are still scary. I've talked about this like a 'Mad Max' moment. It's a bit of anarchy right now. Because we don't know right now who has the keys and certificates on the Internet right now.”

An update to OpenSSL has already been released so that sites can fix the problem. For now, though, it will be up to users to determine if sites they regularly use have updated the software making them safe again. 

"Avoid things like online banking and avoid sensitive sites if you're not sure," said Andrew Storms of CloudPassage. "Some people will see it as overkill. But I think that's the simplest guidance. If you can hold off doing something online for a couple days, then you should."

A Business Insider story offers suggestions to users for protecting themselves. The story indicates that researchers who discovered the bug let programmers know several days in advance of announcing the vulnerability, so most sites should already be in the process of updating their servers' software. Once users have confirmed that has been done, they should change their passwords to the sites.

Sources: The Los Angeles Times, CNET, Business Insider