This week, sites like Soundcloud announced that they would be routinely logging users out to protect them from Heartbleed, a bug in OpenSSL software that’s used to encrypt traffic but ends up leaving users vulnerable.
The bug was recently uncovered, and there's now a handy guide explaining how the flaw works, what information can be extracted and how it can be stopped. The bug has enormous implications that could put the majority of the Internet at risk. Essentially, the security vulnerability allows hackers to spy on communications, data and other information of users on websites that otherwise appeared to be safe and encrypted without leaving a trace in the logs. This bug has existed for at least two years, leaving keys usernames, passwords, and other information open and accessible to anyone who knows how to navigate the system.
According to a report from Wired, the NSA may have been using Heartbleed to conduct spying operations on a mass scale. There is, however, currently no concrete evidence suggesting that the agency has done so.
“It would not surprise me if the NSA had discovered this long before the rest of us had. It’s certainly something that the NSA would find extremely useful in their arsenal,” University of Pennsylvania professor of cryptography and computer security Matt Blaze told Wired.
Whether or not the NSA is involved, the security flaw is certainly cause for major concern. A new version of OpenSSL has been created, and it’s up to service providers to integrate the new software to prevent future attacks.