A major flaw in OpenSSL, a popular cryptographic software library, has left many of the Internet's most trafficked websites vulnerable to attack.
OpenSSL is used by about two-thirds of all websites to encrypt private data such as passwords, usernames and more sensitive information like credit card numbers.
The coding flaw — which is present in versions of OpenSSL released two years ago and nicknamed the Heartbleed Bug — was undetected by security experts until an emergency announcement on Monday by the OpenSSL Project.
The bug was discovered this past weekend by researchers with Google and Internet security firm Codenomicon, working independently of each other.
Although there is no evidence yet that the flaw has been exploited for criminal intent, experts told The Crime Report that Web users should exercise caution.
Codenomicon researchers exploited it on their own site to get a sense of the potential damage, CEO David Chartier told The Crime Report.
“We got access to the memory and we got access to all our private encryption keys,” Chartier said, referring to the tools meant to keep information securely locked away.
An urgent security update by the staff of the blog platform Tumblr explained in layman's terms what the flaw means for everyday users:
“The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” the site explained.
The bug was given the nickname Heartbleed because it was found in a block of code called “heartbeat” which, when exploited, “leaks content,” according to information released by Codenomicon.
Perhaps worse, hackers can exploit the code without leaving any forensic trace, Chartier said.
That means there's no way to track what sites have actually been compromised or how much data has been stolen.
“We don't know to what extent it's been exploited, but you have to assume it has,” Chartier said. “It's been out there for two years, so somebody's probably exploited it.”
Major vulnerable sites include Yahoo and OKCupid, but users shouldn't rush to change all their passwords just yet.
OpenSSL released a patch for sites running the faulty versions of code that fixes the bug, but there's no point in updating sensitive information until after sites have confirmed they've installed the update.
Until then, experts warn that hackers are likely bouncing from site to site, searching for the most vulnerable.
“The odds that people are trying to exploit this are pretty high,” said Jean-Francois Hardy, the owner of Lime 9, a Boulder, CO-based web services company.
The good news for most Internet users is that word of the flaw spread fast on Tuesday, and the Internet's security industry was rushing to install the OpenSSL patch.
Amazon, the Internet's largest cloud computing platform (whose customers include The Crime Report) announced Tuesday that it had updated all of its servers.
Experts contacted by The Crime Report said most major firms should follow suit this week.
In the meantime, Hardy said users should avoid logging on to sites where they store particularly sensitive information.
“Be careful going to your bank's website,” Hardy said. “Until they can verify they've installed the patch.”
Graham Kates is deputy managing editor of The Crime Report. He welcomes comments from readers. He can be found on Twitter, @GrahamKates.