A newly discovered bug dubbed “Heartbleed” has caused panic all over the web. Security researchers and web administrators scrambled Tuesday to fix the bug in OpenSSL encryption technology. It’s a serious issue because the OpenSSL is used by thousands of web servers including Yahoo, Flickr and Imgur. The vulnerability makes even the most popular websites vulnerable to hacking.
Heartbleed bug has been around for two years
Security experts say that it is the most serious security issue uncovered in the past few years. The Heartbleed bug was discovered by Google Inc (NASDAQ:GOOGL) (NASDAQ:GOOG)’s security researcher Neel Mehta, and a security firm Codenomicon. The bug allows anyone to read the memory of the servers protected by the vulnerable version of OpenSSL. It puts your user ID, password, banking information, credit card number, and healthcare data at risk. On Tuesday, U.S. Department of Homeland Security advised businesses to review their servers to find out whether they have been using the vulnerable versions of the encryption software.
The worst thing about Heartbleed is that it has been around for more than two years. So, no one really knows how many hackers have exploited it, and how many servers have been compromised. A Yahoo! Inc. (NASDAQ:YHOO) spokesperson told Reuters that Yahoo Mail was vulnerable to attack, but it has been patched with other sites of the company including Yahoo Finance, Yahoo Search, Flickr, Tumblr and Sports.
You are likely to be affected by Heartbleed bug, either directly or indirectly
Heartbleed is different from other security breaches in the past few years, where one or the other websites got hacked. But in this case, the bug is in the code that is designed to keep servers secure. That’s why many security experts said it’s the most dangerous bug ever. It’s so serious that the Tor Project has advised Internet users to go offline for a few days.
OpenSSL Project has launched a new website www.heartbleed.com to inform web masters and users about the bug. OpenSSL Project said in a separate note that affected users should instantly “upgrade to OpenSSL 1.0.1g.” Its ease of exploitation, long exposure, and attacks leaving no trace are the reasons server administrators and security researchers are so panicked.
Answering the question ” Am I affected by the bug?”, the OpenSSL website says, “you are likely to be affected either directly or indirectly.”