Heartbleed bug, internet's most alarming security threat ever

Heartbleed bug, internet's most alarming security threat ever

Author | Abhinna Shreshtha | Monday, Apr 14,2014 7:51 AM

Heartbleed bug, internet's most alarming security threat ever

A vulnerability in OpenSSL has potentially exposed millions of websites, including popular social networks, to data theft say researchers. According to an advisory by vulnerability defence firm, Codenomicon Defensics (one of the discoverers of this vulnerability), this allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

The vulnerability or bug has been given the name Heartbleed, though the official designation is CVE-2014-0160. First discovered earlierlast week, researchers estimate that the bug has been present since 2011. What this means is that users of websites with OpenSSL encryption (and these number in the millions) were potentially open to data theft for more than three years. It is still not clear whether anyone has actually been able to exploit this vulnerability, though one report claimed that anyone with a basic knowledge of programming could be in a position to abuse this vulnerability.

Heartbleed has affected all kinds of websites, from e-commerce stores to banking sites and even popular social media platforms. Yahoo has already released patches as protection against the vulnerability. Google, in an official blog post said that patches have been applied to Search, Gmail, YouTube, Wallet, Play, Apps, and App Engine, while Google Chrome and Chrome OS are not affected. “We are still working to patch some other Google services,” the statement further read. A Facebook India spokesperson told us that protections had been added for Facebook’s implementations of OpenSSL before this issue was publicly disclosed. The spokesperson further added that the company has not detected any signs of suspicious activity on people’s accounts. Twitter’s India team did not reply when approached.However, an official post by the company said, “We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability. We are continuing to monitor the situation.”

What Is OpenSSL and how does the Heartbleedvulnerability work?

OpenSSL is a popular web encryption technology used to safeguard sensitive data like passwords over the internet. It is an open source implementation of SSL (Secure Socket Layer) and TLS (Transport Layer Security) protocols, which are used to provide security to communications. On a website (for example, Gmail) it is denoted by a green lock icon next to the URL. It is deployed in many scenarios such as within email servers and VPN (virtual private network) systems and can be embedded within operating systems.

What the Heartbleed vulnerability means is that a malicious party could potentially trick the SSL protocol through its ‘heartbeat’ option. This ‘heartbeat’ feature allows two computers to communicate via a short message to check whether both are online. Due to the bug, it is possible to send a disguised heartbeat message that tricks the computer at one end into divulging information stored in the server memory. OpenSSL.org estimates that up to 64kB of memory could be revealed to a connected client or server. However, the organization assures that the vulnerability does not affect versions of OpenSSL prior to 1.01.

What are the ramifications?
It is still not clear if anyone has actually been able to exploit this vulnerability in the last two to three years it has been present. With most of the top internet companies and social platforms having already released patches and fixes, it seems user data is safe for now. However, users are still being advised to change their password for added security. Though, how useful doing this will be is still debatable. Web security experts we spoke to said it would take more time to analyse and understand all the implications of Heartbleed. Websense, a security firm, stated that 600 of the top 10,000 websites (as ranked by Alexa) are still vulnerable.The company said in a blog post, “It is understood that web server logs will not show whether the vulnerability has been used, thus making an attack difficult to detect from that perspective.”

Keep following this space for more updates and developments.

Write A Comment