The newly discovered Heartbleed bug is being called the Web’s worst security bug ever.
It allows hackers to steal passwords and login details when users visit vulnerable sites — undetected. That’s the bad part: affected sites probably have no idea they’re vulnerable. The bug is subject to an emergency security advisory. Some experts are estimating that up to 66% of the Internet’s servers could be affected. Each server has to be fixed manually. So it could take a while.
In the meantime:
- Don’t log into any sites until you’ve officially been given the all clear.
- Change all your passwords for websites and email. Especially for sensitive sites like banks, credit cards and webmail. However: wait until you know a site has been patched before changing passwords. Sites like Tumblr and Yahoo sent out warning emails earlier today telling users to change their passwords.
- Apple.com and iCloud appear to be unaffected, according to this (unofficial) list on Github.
- Install the Chromebleed Checker for Google’s Chrome browser — it pops a warning if a site is vulnerable (Cult of Mac is not. See screenshot below).
We’ve reached out to Apple’s PR department for comment. No reply yet. We’ll update if Apple makes any statement or issues an advisory.