Not much consumers can do to fix the problem.
A flaw in the popular OpenSSL software has left millions of people vulnerable to having their banking information, tax files, emails, and other online data exposed. And there’s no way to know if someone has accessed your information.
Nicknamed “Heartbleed,” the “bug” is actually a weakness in OpenSSL’s cryptographic software that makes SSL/TLS encryption backfire on computer users. The “https” protocol that is supposed to identify a secure website is actually a signal to hackers that the site is vulnerable to cyber attack. The hackers can then trick a computer’s server into sending data stored in its memory.
Google security researcher Neel Mehta was the first to discover Heartbleed, and the weakness was confirmed by internet security firm Codenomicon. Alarmingly, researchers found that the Heartbleed flaw has been in OpenSSL for two years. It is unknown if attacks have been carried out, because exploiting the software loophole leaves no trace.
In addition to exposing users’ passwords, personal files, and credit card information, hackers can also steal encryption keys– the code that translates computer-generated nonsense into usable information.
“It may even be able to use the secret key to impersonate the server, tricking users into divulging their password and other sensitive information,” Vox Media wrote.
Codenomicon states that because of the wide-spread use of OpenSSL and the untraceability of Heartbleed, consider your accounts compromised.
“You are likely to be affected either directly or indirectly,” their website, Heartbleed.com states. “OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commercial site, hobby site, sites you install software from or even sites run by your government might be using vulnerable OpenSSL.”
To end Heartbleed’s hold on the server, vendors and service providers must adopt the Fixed OpenSSL, which was released Monday.
“Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users,” Codenomicon instructs. “Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
Changing your passwords before the server has adopted Fixed OpenSSL is useless. As of today, most of the major websites, including Yahoo, Google, and Facebook, have fixed the problem. To check if a website has installed the updated OpenSSL software, visit http://filippo.io/Heartbleed/.