Heartbleed bug may expose masses of sensitive data

By Danny Yadron

An encryption tool used by a large chunk of the Internet is flawed, potentially exposing reams of data meant to be hidden from prying eyes.

( Have you been affected? Use this tool to check to see if a website youre visiting is open to attack via the Heartbleed flaw. And read this FAQ from the company that discovered the flaw.)

The bug, nicknamed Heartbleed by researchers at Google Inc. /quotes/zigman/30194416/delayed/quotes/nls/goog GOOG +0.22% and cybersecurity firm Codenomicon, could have affected two-thirds of active websites when it was disclosed Monday, they said.

On Tuesday, website operators, including Yahoo Inc., /quotes/zigman/59898/delayed/quotes/nls/yhoo YHOO +2.10% raced to fix the problem. A Yahoo spokeswoman said the company had made the appropriate corrections. Several researchers said earlier that they had been able to capture Yahoo usernames and passwords.

Many other major websites, such as Google, Amazon.com Inc. /quotes/zigman/63011/delayed/quotes/nls/amzn AMZN -0.24% and eBay Inc., /quotes/zigman/76117/delayed/quotes/nls/ebay EBAY +0.93% appeared to be safe, based on a test created by a researcher for cybersecurity company Qualys Inc. /quotes/zigman/12094171/delayed/quotes/nls/qlys QLYS -0.47%

The bug exploits a problem in certain versions of OpenSSL, a free set of encryption tools used by much of the Internet. OpenSSL is managed by four core European programmers, only one of whom counts it as his full-time job. The limited resources behind the encryption code highlight a challenge for Web developers amid increased concern about hackers and government snoops.

Websites increasingly use encryption to mask data such as usernames, passwords and credit-card numbers. That prevents a hacker lurking at a coffee shop from grabbing personal information out of the air as it travels to a wireless router. This type of encryption is called SSL, or secure sockets layer, or TLS, or transport layer security. When a website is using these forms of encryption, a padlock appears with the Web address in a browser.

Web servers that use the affected versions of the code store some data unprotected in memory. Hackers can grab that data, and reconstruct information about users or keys that would allow them to monitor past or future encrypted traffic.

Anyone can reach out to the Internet and scoop out of the data, said Thomas Ptacek, a researcher at Matasano Security in Chicago. I can be in my office here. I can be in Estonia.

Go here to see the original:
Heartbleed bug may expose masses of sensitive data