A critical bug found at the core of the internet could be about to cause havoc online.
Known as 'Heartbleed', the bug has been found in part of the code that runs encrypted websites, known as OpenSSL.
And yes, you are affected. Directly.
Most websites with any form of encyption, from email to social media, use SSL or TLS, indicated with a padlock at the bottom of the browser.
If exploited by hackers, the bug could allow hackers to steal virtually any information passed between users and web servers, including information that has already been collected, depending on how their servers are set up.
The potential devastation is enormous - if hackers have silently collected transaction information from online shops or even banks using affected versions of SSL, over the last two years, that data could now potentially be decrypted. And easily.
Or, to put it another way:
Ok, I see now that heartbleed does not require MItM to be exploited. It's serious then. #runforthehills— Andreas Lindh (@addelindh) April 8, 2014
The attack method leaves no trace, and has left a large amount of private keys and data freely exposed on the internet. Essentially it allows hackers to trick any system running OpenSSL into revealing chunks of data, at will.
"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.
This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users."
The bug was discovered by three researchers from Codenomicon and a security researcher at Google. The vulnerability has existed since at least December 2011, though it is unclear if it has been used by hackers.
Luckily the bug has already been fixed, but it's up to web admins to install the patch - and there is no way for the researchers to force the update to be applied. According to ZDNet, security admins at Red Hat, Debian, SuSE, Canonical, and Oracle among other major companies are working at a "feverish" pace to fix the flaw in their software.
OpenSSL released the following statement along with the patch:
"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix."
The team of researchers who found it add that there is a "bright side" to their discovery:
"For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well."Suggest a correction