In the week since news about the Heartbleed bug responsible for leaving two-thirds of the Internet’s usernames, passwords, communications and credit cards vulnerable to theft for the last two years, users still aren’t sure about which of their accounts may have been compromised, and when the websites and services they frequent will be safe.
Password software client LastPass is trying to answer those questions with a new tool on its website that lets users type in a web address they frequent and view a status report on the site, which tells users what server software the site uses, whether it was vulnerable to Heartbleed, if it has or has not been fixed, and whether or not they should change their passwords.
Google just released a similar tool for its Chrome web browser called Chromebleed, which after being installed as an extension, warns users when they’ve navigated to a site that has not issued a patch, and suggests that they leave the site and notify its developers.
Shortly after discovering the bug, which left open a security hole in OpenSSL secured, HTTPS-encrypted websites and services that allowed hackers to intercept sensitive user data and view it in plain text, security researchers warned users to stay offline and not change passwords or account information until Internet servers adopted a patch.
Without it, changed passwords and data could be intercepted all over again and be put at even greater risk since the public disclosure of the vulnerability.
The programmer responsible for the bug said in an interview Friday that it was a mistake, but warned that it could have been used by intelligence agencies for years to spy on Internet users everywhere. Such speculation became fact late Friday when anonymous sources revealed the National Security Agency had been exploiting the bug for at least two years to surveil users, while putting their sensitive data at even greater risk of theft.