Huffpost UK Tech uk
Michael Rundle Headshot

'Heartbleed' Bug: Change ALL Of Your Passwords Warn Security Experts

Posted: Updated:

Security experts are advising the public to change their passwords in the wake of the Heartbleed bug, found at the core of the internet.

That's all of your passwords. And yes, that includes your bank, your email, your social networks and anywhere you've ever bought anything online.

The Heartbleed bug affects a technology known as OpenSSL, which is widely used to encrypt communications on the internet.

Usually this tech is only encountered by the public as a little "padlock" image at the bottom of your browser, indicating the site is secure.

Unfortunately, a team of three security researchers have established a fatal flaw at the core of some versions of OpenSSL that could have let hackers steal password and other personal data silently, leaving no trace, for up to two years.

While the software flaw has been fixed and is being rolled out by companies worldwide, it's too late if your communications have been followed by hackers at any point in the last two years.

In the last two days it has become substantially easier for anyone to exploit the hack, security company NCC Group has warned.

"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," it told the BBC.

"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information."

9 Gadgets To Help You Avoid Surveillance
of
Share
Tweet
Advertisement
Share this
close
Current Slide

Meanwhile Tumblr, the blogging platform owned by Yahoo, has advised users to change all of their passwords - and not just for its own site.

It said in a statement:

"Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.

We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.

But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.

This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."

The bug was discovered by three researchers from Codenomicon and a security researcher at Google. The vulnerability has existed since at least December 2011, though it is unclear if it has been used by hackers.

OpenSSL released the following statement along with the patch:

"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix."

The team of researchers who found it add that there is a "bright side" to their discovery:

"For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well."