The Washington PostDemocracy Dies in Darkness

Major bug called ‘Heartbleed’ exposes Internet data

A newly discovered security bug nicknamed Heartbleed has exposed millions of usernames, passwords and reportedly credit card numbers — a major problem that hackers could have exploited during the more than two years it went undetected.

It’s unlike most of the breaches reported over the past few years, in which one Web site or another got hacked or let its guard down. The flaw this time is in code designed to keep servers secure — tens of thousands of servers on which data is stored for thousands of sites.

That’s why some experts were calling Heartbleed the worst bug yet, something that should worry everyone who frequents the Internet or does business on it.

It’s as if someone went on vacation not knowing the lock on the front door was broken. Could someone walk in? Yes. Will they? Did they? Who knows.

Codenomicon, the Finnish security firm that helped discover the bug offered a chilling illustration of its danger:

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

While companies were scrambling to implement a fix this week, nobody seemed to know whether any damage had been done.

(For more, see “Heartbleed: What you should know” in the Morning Mix)

The bug was found in a type of software called OpenSSL, which is used on servers to encrypt sensitive information to protect people’s privacy. At least 500,000 servers were reportedly vulnerable.

“You should care about this because — whether you realize it or not — a hell of a lot of the security infrastructure you rely on is dependent in some way on OpenSSL,” Matthew Green, a cryptographer and research professor at Johns Hopkins University, said on his blog. “This includes many of the websites that store your personal information. And for better or for worse, industry’s reliance on OpenSSL is only increasing.”

Through the security flaw, which is said to be one of the most serious uncovered in recent years, Heartbleed can access the contents of a server’s memory where private data is stored.

“Once an attacker has a website’s encryption keys, anything is fair game,” wrote Jill Scharr at Yahoo Tech. “Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.”

A fix was circulated, but it was unclear how quickly and widely it was being implemented. Conflicting advice was given to consumers by Web sites and technology writers, some advising people to change usernames and passwords and others saying that such changes would be a big mistake.

“If a website is vulnerable, I could see things like your password, banking information and healthcare data, which you were under the impression you were sending securely to your website,” Michael Coates, director of product security for Shape Security, told Reuters.

It also means hackers can get copies of a server’s digital keys, and then use those keys to impersonate servers or to decrypt communications.

Experts were deeply worried about the bug, as wrote at TechCrunch:

When all the net security people you know are freaking out, it’s probably an okay time to worry. This afternoon, many of the net security people I know are freaking out. A very serious bug in OpenSSL — a cryptographic library that is used to secure a very, very large percentage of the Internet’s traffic — has just been discovered and publicly disclosed.
Very, very sensitive data often sits in a server’s system memory, including the keys it uses to encrypt and decrypt communication (read: usernames, passwords, credit cards, etc.) This means an attacker could quite feasibly get a server to spit out its secret keys, allowing them to read to any communication that they intercept like it wasn’t encrypted it all. Armed with those keys, an attacker could also impersonate an otherwise secure site/server in a way that would fool many of your browser’s built-in security checks.

Codenomicon created a Web site to answer questions about the bug, though the site might be too technical for some readers. Several sites devoted to technology published questions and answers for consumers, among them LifeHacker.

Researchers with Google and Codenomicon discovered the vulnerability. That prompted the Department of Homeland Security (DHS) to warn businesses of the problem on Tuesday and advise them to review their servers to see if they were using the flawed version of OpenSSL.

In an alert issued Tuesday, DHS said the bug “could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys. … This may allow attackers to decrypt traffic or perform other attacks.”

Codenomicon said most Web users “are likely to be affected either directly or indirectly” because OpenSSL “is the most popular open source cryptographic library. … Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL,” the company said.