Heartbleed bug – Worst security vulnerability in history?

Heartbleed bug

 

About the heartbleed bug

The secret keys can be leaked from the service or hosting provider, which allows an attacker to decrypt any encrypted traffic to the web server, such as passwords. The attacker can then use e.g. the credentials to authorize as the user. Off course all other confidential or private information is exposed by this security flaw as well. To point out the seriousness of this vulnerability, some of the most known companies that has been exposed to the heartbleed bug is: Google, Yahoo and Instagram. It still haven’t been confirmed if Facebook was affected by the Heartbleed bug

Method

Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.

Recomendations

You should change all your passwords after the hosting/service -provider has confirmed that the system is patched. All  companies which knows about security, big as small, should at this time have patched the security flaw.

Here’s a good list of well known companies that was affected and if they have reacted:
http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/

 

References

  • http://heartbleed.com/
  • http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160