Heartbleed Bug Targets Online Activity
The bug itself may be called “Heartbleed,” but what should really get your blood pumping is the potential loss of your members' personally identifiable information, including credit card data and passwords.
The bug, which has been on the Internet undetected for roughly two years, did not attack individual websites or companies like recent hacks into the systems of Target, Mt. Gox, and others. Instead, Heartbleed exploited a flaw in the code that was designed to keep servers secure.
Tens of thousands of servers that house data for thousands of websites could be affected by the bug. In essence, all Internet users who conduct business transactions or even have passwords saved on websites could be affected.
Finnish security firm Codenomicon, which helped discover the bug, said this could be one of the worst invasions of privacy in Internet history.
“This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content,” the firm said. “This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
The firm said it tested the exploitable code on its own servers, and it was able to enter and leave without a trace. Those who made the popular code, Open SSL, released a fixed version that does not have this vulnerability, although widespread adoption may take some time. In one key instance, Yahoo confirmed to Reuters that Yahoo Mail was vulnerable to the bug, but a spokesman said all major Yahoo sites have been patched since the bug’s discovery.
It’s currently unclear whether the security bug has been exploited on a widespread basis. As Lindsey Bever of the Washington Post wrote, “It’s as if someone went on vacation not knowing the lock on the front door was broken. Could someone walk in? Yes. Will they? Did they? Who knows?”
Originally published on InsideCounsel. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.