The ‘Heartbleed’ flaw in an encryption technology used in millions of sites has left internet giants such as Yahoo and Minecraft developer Mojang interrupting service as they scramble to find a ‘fix’.
The source of the bug, which has affected at least 500,000 sites and millions of users, was a small programming error made by a PhD student, who has spoken of his regret at the incident.
The BBC reports that computers vulnerable to the bug are already being scanned – although it’s still not clear whether this is the work of researchers or cybercriminals. Around 500,000 servers are vulnerable according to Netcraft, although many have rapidly deployed the patch.
Ars Tehnica has claimed that evidence shows that sites with the bug were probed “months” before it had been revealed – which could mean that it has been exploited to steal data.
The offending code was submitted just before New Year in 2012, by Robin Seggelmann, a PhD student no longer attached to the project. Speaking to The Guardian, he said,
“I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”
“The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.
Computing Magazine has reported that the flaw has been detected in networking equipment from Cisco and Juniper. The fact that the flaw has been found in networking gear including firewall hardware could mean the situation is even more serious. Speaking to the Wall Street Journal, a Juniper spokesperson said, “It doesn’t sound like a flip-the-switch sort of thing. I don’t know how quickly it can be resolved.”
Naturally, the internet has flooded with advice on what to do – with some alarmist pieces claiming that all passwords must be reset. Wired described the bug as “catastophic” and claimed that the entire internet needed a password reset.
Google, for instance, said that its passwords did not need to be reset unless they were used on other sites.
Password manager application LastPass has created a tool which allows site owners and users to check if a site is vulnerable.
The flaw, in the widely used open-source encryption technology OpenSSL, could have left user data vulnerable to cybercriminals.
The bug, known as ‘Heartbleed’ is described as one of the “most serious security flaws ever found” according to the Telegraph’s report. It afffects the open-source encryption software OpenSSL – which is used on millions of web servers – and has been undiscovered for more than two years. The Telegraph reports that it could have been used to steal passwords, credit card details and even encryption keys, without trace.
Major sites including Yahoo Mail and others, are vulnerable, and are scrambling to deploy fixes. A proof-of-concept exploit for the bug has already been posted on coding site Github.
The researchers who discovered Heartbleed say that it has left private keys, and other secrets exposed “for years”. The researchers tested the vulnerability themselves and wrote that they were able to gain access to large amounts of data, leaving no trace of their presence.
“We have tested some of our own services from an attacker’s perspective,” they wrote. “We attacked ourselves from outside, without leaving a trace. Without using any privileged information, we were able steal from ourselves secret keys, usernames and passwords, instant messages, emails and business critical documents and communication.”
The bug was discovered by researchers from Finnish firm Codenomicon working with Google. A dedicated website helps to explain some of the risks – although the researchers admit they do not know how widely the bug has been exploited.
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet,” the firm writes.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
ESET Senior Research Fellow David Harley offers advice on how to deal with the problem, “Sites that have never run the 1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1 shouldn’t be panicking about this, but those that are running them need to upgrade to 1.0.1g or recompile -DOPENSSL_NO_HEARTBEATS, as recommended by the OpenSSL security advisory. However, they should also be looking for and revoking (and reissuing) compromised keys, and changing user passwords. This applies even to sites that ran a vulnerable version for a while but have upgraded since, as the bug has been around since 2011. While I haven’t checked all the links and resources listed there, this site looks like an excellent starting point for sites that need to know more about the problem and its remediation, as well as the heartbleed.com page. It’s worth remembering that some embedded devices also use OpenSSL: it isn’t just a server issue.”
Open SSL wrote on their site, “A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64kB of memory to a connected client or server. This issue did not affect versions of OpenSSL prior to 1.0.1.
Author Rob Waugh, We Live Security