This vulnerability regarding OpenSSL named ‘Heartbleed’ came into the forefront on the April 8th 2014. It was discovered by a team of Google security researchers and exploited before it was disclosed to the general public. It forms a core part of the cryptographic software library in OpenSSL, and its weakness is in the SSL/TLS encryption used to secure the internet and used by websites like Google, Yahoo, Reddit etc. This vulnerability is open to being stolen by hackers and security agencies like the NSA. OpenSSL is open source and is maintained by a team of development volunteers who rely on donations for support.
A lot of websites by now, have already fixed this vulnerability, but some still are in the process of fixing it. Google and Yahoo have already fixed it. Other popular websites like Microsoft Hotmail and others remain unaffected because they do not use OpenSSL. In Canada, their tax authority as of last week stopped collecting taxes as a result of this bug. It recently disclosed that social insurance numbers of over 900 customers have been compromised or stolen by hackers. Security experts have said that since this vulnerability had existed in OpenSSL for almost 2 years, so it is possible for the bug to have been exploited by hackers.
Why is it named ‘Heartbleed’? The reason is; it exploits a built in feature in OpenSSL named Heartbeat. When we access a website like Gmail, it responds back to make us aware that it is active and listening to our requests. This exchange of information is done via the use of data. Accessing a website would only result in that amount of data being transferred back that was originally sent by us in our initial request. The websites that are vulnerable to ‘Heartbleed’ do not exhibit this behavior described above. The hacker or any individual exploiting this bug on the affected server would be able to gather more data than sent upon the original request up to 65,336 bytes. Due to it,our sensitive data like email, banking, social media, e-commerce, login details are open to being stolen. So are credit card details if stored there.
In the aftermath of the vulnerability being disclosed, various websites affected have scrambled quickly to apply the fix. Certain websites have been created to check for the ‘Heartbleed’ vulnerability for users. To confirm whether the website being used is still vulnerable or not can be checked here:
The safety precautions given would recommend changing the passwords immediately for all websites affected. Before doing that, it would be beneficial to confirm whether the exploit has already been patched by the relevant website or not. The website URL provided above should be able to reveal that. For example, the famous cloud storage website Box.com has confirmed recently a week after the bug was disclosed to the masses, that it had fixed its website for ‘Heartbleed’. It has recommended all its users to please reset their passwords. Not are only websites affected by it, but also certain networking equipment provided and made by Juniper networks and Cisco Systems. Blackberry has also confirmed, that its popular cross platform messenger service BBM is affected by ‘HeartBleed’. The update has been released on the iOS and Android platform recently. Other Blackberry devices remain unaffected as of now.
As per the disclosure, the massive impact that ‘HeartBleed’ vulnerability has had in the past week or so, it is possible to come across another major security threat like this again.
*Image has been taken from this url :
http://cdn.itproportal.com/big_files/heartbleed-infographic-how-works-large.jpg
