Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

heartbleed.com

'Heartbleed' security bug leaves encrypted web servers at risk

The bug can reveal the contents of a server’s memory – where sensitive data like usernames, passwords and credit card numbers is stored – and allows attackers to steal info without a trace.

MILLIONS OF WEB servers worldwide have a software flaw which lets attackers access the security keys used to secure online commerce and web connections.

The bug, named Heartbleed, is in open source software called OpenSSL which is widely used to encrypt web communications. The bug can reveal the contents of a server’s memory - where sensitive data like usernames, passwords and credit card numbers is stored.

It allows attackers to eavesdrop on communications, steal data directly from the servers and users and to impersonate services and users. The bug was discovered by a team of security engineers at Codenomicon and Google Security researcher Neel Metha, who first reported it to the OpenSSL team.

It is unclear how widespread the bug is since attackers leave no trace, something the team of security engineers confirmed when they tested the bug by attacking their own services.

We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication.

According to the researchers who discovered the bug, the bug has been present in version of OpenSSL for two years and the latest version, which was released on 7th April, is no longer vulnerable to the bug.

Another developer has published a tool which lets people check websites for Heartbleed vulnerability. Major sites like Facebook, Twitter, Amazon and Google are not affected by the bug, but others like Yahoo and OkCupid are still vulnerable.

Read: This huge security flaw affects (nearly) all iPhones, iPads, and Apple computers >

Read: Security flaw on Android version of WhatsApp could leave user chats exposed >

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
9 Comments
    Submit a report
    Please help us understand how this comment violates our community guidelines.
    Thank you for the feedback
    Your feedback has been sent to our team for review.
    JournalTv
    News in 60 seconds