The newly discovered Heartbleed bug is being called the Web’s worst security bug ever.
It allows hackers to steal passwords and login details when users visit vulnerable sites — undetected. That’s the bad part: affected sites probably have no idea they’re vulnerable. The bug is subject to an emergency security advisory. Some experts are estimating that up to 66% of the Internet’s servers could be affected. Each server has to be fixed manually. So it could take a while.
In the meantime:
- Don’t log into any sites until you’ve officially been given the all clear.
- Change all your passwords for websites and email. Especially for sensitive sites like banks, credit cards and webmail. However: wait until you know a site has been patched before changing passwords. Sites like Tumblr and Yahoo sent out warning emails earlier today telling users to change their passwords.
- Apple.com and iCloud appear to be unaffected, according to this (unofficial) list on Github.
- Install the Chromebleed Checker for Google’s Chrome browser — it pops a warning if a site is vulnerable (Cult of Mac is not. See screenshot below).
We’ve reached out to Apple’s PR department for comment. No reply yet. We’ll update if Apple makes any statement or issues an advisory.
The Heartbleed bug is a nasty one. It affects webservers — the computers that power websites. It does not affect your computer or iOS device — but it makes you vulnerable because hackers can potentially steal your details from the sites you visit. It’s a flaw in OpenSSL, an encryption technology used by the vast majority of websites on the Net, although, apparently, not Apple’s website or its online services like iCloud. Google, Microsoft and big banks also appear not to be vulnerable, but many smaller sites and servers could be.
The flaw allows hackers to pull data from a server’s working memory, including the server’s encryption keys. That would allow hackers to decrypt all traffic to and from the server, exposing sensitive data like logins, passwords and everything else.
You can check individual sites using this Heartbleed checker.
It affects an older version of OpenSSL that’s been around for two years, so even sites that have been updated may have been vulnerable in the past. No one can tell because the flaw allows hackers to plunder data without leaving any trace that they were there. There’s evidence that hackers are aware of the flaw and have been exploiting it, according to reports.
There’s a more technical explanation at Heartbleed.com, which estimates that up to 66 percent of the web may be vulnerable. Huge services like Yahoo, OKCupid and Tumblr use OpenSSL to encrypt data.
Until the majority of webservers are fixed, the best advice is to temporarily stay away from sites that could expose your private details.
Vulnerable servers will have to be patched by their administrators, on a server-by-server basis, which might take days or even weeks. And there’s no guarantee that all the vulnerable servers will get patched. The best advice is to treat each on a site-by-site basis.
And if you are really security conscious, the TOR project is advising that you might want to avoid the internet altogether.