'Heartbleed' Software Bug Is Way Worse than Thought - Your Emails and Searches May Put You at Risk

Hundreds of thousands of web and email servers worldwide have a software flaw that lets attackers steal the cryptographic keys used to secure online commerce and web connections, experts say.

They could also leak personal information to hackers when people carry out searches or log into email.

The bug, called "Heartbleed", affects web servers running a package called OpenSSL.

Among the systems confirmed to be affected are Imgur, OKCupid, Eventbrite, and the FBI's website, all of which run affected versions of OpenSSL. Attacks using the vulnerability are already in the wild: one lets a hacker look at the cookies of the last person to visit an affected server, revealing personal information. Connections to Google are not vulnerable, researchers say.

SSL is the most common technology used to secure websites. Web servers that use it securely send an encryption key to the visitor; that is then used to protect all other information coming to and from the server.

It is crucial in protecting services like online shopping or banking from eavesdropping, as it renders users immune to so-called man in the middle attacks, where a third party intercepts both streams of traffic and uses them to discover confidential information.

Bleeding data

The Heartbleed bug – so called because it exploits a failure in an extension called heartbeat – not only lets attackers read the confidential encrypted data; it also allows them to take the encryption keys used to secure the data. That means that even servers which fix the bug, using a patch supplied by OpenSSL, must also update all their keys or risk remaining vulnerable.

More worryingly still, the bug can cause servers to leak other information stored on the server which wouldn't normally be available at all. For instance, one developer reports the ability to see searches made by other users on privacy-focused search engine DuckDuckGo, while another reports similar data leakage from Yahoo. Worse still, Yahoo has been found to be leaking user credentials due to the bug. Yahoo did not return requests for comment.

That data leakage means that servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users," explained security group Codenomicon, which discovered the flaw.

Hidden in plain sight

The vulnerability was introduced in 2011, apparently by accident when the opensource code was updated, but the error was only spotted recently. That has raised fears that some attackers may already have been exploiting it to steal information. "Unfortunately it is not clear at the moment that there is any way to know whether this has already happened, since the vulnerability has been around for two years," explains Matthew Bloch, the managing director of hosting company Bytemark.

It is the third serious bug in cryptographic connectivity discovered this year. In February, Apple revealed that a simple programming mistakemeant that since September 2013 its iPhone, iPad and newer Mac OS X software all failed to check the security of websites they connected to. It issued a patch for the software in February.

Weeks later a similar flaw was discovered in the open source TLS system,leaving thousands of apps open to eavesdropping. That was reckoned to have been there since 2005.

Stay offline?

For users, the simplest thing to do may be to refrain from engaging in sensitive activities on the internet for a few days. Typical responses to security breaches, such as changing passwords may even serve to exacerbate the problem. While there are tests which will show whether a particular website is vulnerable, checking every site is cumbersome, and the most popular web-based test is suffering under heavy load.

The issue is widespread. "We count at least a few hundred thousand servers using affected library versions so that it poses a significant threat," says Mark Schloesser, a security researcher at penetration testing firm Rapid7. "As the same problem affects other protocols/services such as mail servers and databases, we assume that overall we're looking at millions of vulnerable systems connected to the public internet."

Enjoy this piece?

… then let us make a small request. AlterNet’s journalists work tirelessly to counter the traditional corporate media narrative. We’re here seven days a week, 365 days a year. And we’re proud to say that we’ve been bringing you the real, unfiltered news for 20 years—longer than any other progressive news site on the Internet.

It’s through the generosity of our supporters that we’re able to share with you all the underreported news you need to know. Independent journalism is increasingly imperiled; ads alone can’t pay our bills. AlterNet counts on readers like you to support our coverage. Did you enjoy content from David Cay Johnston, Common Dreams, Raw Story and Robert Reich? Opinion from Salon and Jim Hightower? Analysis by The Conversation? Then join the hundreds of readers who have supported AlterNet this year.

Every reader contribution, whatever the amount, makes a tremendous difference. Help ensure AlterNet remains independent long into the future. Support progressive journalism with a one-time contribution to AlterNet, or click here to become a subscriber. Thank you. Click here to donate by check.

alternet logo

Tough Times

Demand honest news. Help support AlterNet and our mission to keep you informed during this crisis.