After the discovery this week of a massive security flaw in the open source software used to secure and encrypt a vast portion of internet communications, major tech firms are urging users across the Web to change the passwords on all of their accounts.
Dubbed the “Heartbleed” bug by the researchers responsible for uncovering it, the widespread security hole allows hackers to steal code from websites and online services which reveal the most sensitive of user information — including usernames, passwords, communications, credit card and account information.
Websites, web applications, email, instant messenger services and even virtual private networks are among many other Internet programs that use the customizable OpenSSL (secure sockets layer) security library on websites with HTTPS (embedded in the addresses of most websites users browse to) encryption to protect users information on their services.
“The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” the popular blogging platform Tumblr wrote in a post.
Though a fix for the single affected version of OpenSSL has already been issued, the version itself has been around for two years. The nature of the flaw makes it impossible to tell whether or not sensitive data was accessed or compromised from services or websites by third party hackers that could have exploited the bug in that span of time.
“This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr said.
Computer security expert Bruce Schneier agreed that reports on the severity of the bug were not being overblown in a Wednesday blog post where he described the flaw as “catastrophic.”
“On a scale of 1 to 10, this is an 11,” Schneier said while speculating the bug could have been added intentionally, but thinks it more likely it was accidental.
Google security team member Neel Mehta uncovered the bug along with security engineers at Codenomicon, which put up a website explaining the security flaw in detail.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” heartbleed.com reads. “This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content.”
“This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.”
Cybersecurity company NCC Group told the BBC that someone “with a moderate level of technical skills” running their own programs could exploit the bug and launch successful attacks to gain sensitive information – especially since its disclosure to the public earlier this week.
“As long as service providers have patched their software it would now be a prudent step for the public to update their passwords,” NCC Group associate director Ollie Whitehouse said.
“If people have logged into a service during the window of vulnerability then there is a chance that the password is already harvested,” Codenomicon Chief Technology Officer Ari Takanen agreed. “In that sense it’s a good idea to change the passwords on all the updated web portals.”