Widely Adopted Encryption Has a 'Heartbleed' Bug That Leaks Information

Future Tense
The Citizen's Guide to the Future
April 8 2014 4:09 PM

Popular Encryption Software’s “Heartbleed” Bug Leaks Information

heart
The symbol of Heartbleed is simultaneously cartoonish and concerning.

Logo by Codenomicon.

Researchers have disclosed a serious vulnerability in standard Web encryption software. Known as “Heartbleed,” the bug can give hackers access to personal data like credit card numbers, usernames, passwords, and, perhaps most importantly, cryptographic keys—which can allow hackers to impersonate or monitor a server. It didn't affect sites like Google, Facebook, Twitter, or Dropbox, but Yahoo and even openssl.org were vulnerable.

Lily Hay Newman Lily Hay Newman

Lily Hay Newman is lead blogger for Future Tense.

The vulnerability in encryption software OpenSSL was discovered by Google researcher Neel Mehta and the security firm Codenomicon. They gave the bug—officially known as CVE-2014-0160—the appropriately evocative and frightening name Heartbleed.

Advertisement

Though Web encryption flaws come up regularly, Heartbleed is significant because of its reach, and the effort that will be required of IT administrators across the Internet to eradicate the bug. Users don't have to download a patch or do anything in particular to protect themselves other than changing their account passwords if they know they use a service that was compromised. About half a million websites that use OpenSSL are currently vulnerable, according to the Internet security company Netcraft.

On Heartbleed.com, a site set up to draw attention to the problem, Codenomicon writes that the vulnerability "allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users." When Codenomicon purposely hacked its own servers, exploiting Heartbleed, the company was able to "steal" cryptographic keys, usernames, passwords, instant messages emails, documents, and other communications from itself.

OpenSSL has already released an emergency patch for the bug, called Heartbeat. But the vulnerability is in fairly ubiquitous software around the Web, and it will take awhile for the patch to disseminate. A tool from SSL Labs, a repository of SSL documents and tools, allows you to check any URL for the OpenSSL vulnerability.

Most major services were not affected or rapidly upgraded their servers to incorporate the OpenSSL patch. Some have also tried to reassure customers that their information wasn’t really at risk from Heartbleed anyway. For example, a spokesperson for the password management service LastPass, which implemented the patch early this morning, told CNET, "Nearly all your data is also encrypted with a key that LastPass servers never get—so this bug could not have exposed customer's encrypted data."

It’s possible, though, that Heartbleed might not be as fatal as it seems. Adam Langley, a Google security expert who helped close the OpenSSL hole, said on Twitter that his testing didn't reveal information as sensitive as secret keys.

Nevertheless, admins are racing to patch the bug, and many sites that corrected the vulnerability will probably prompt their users to reset account passwords in the coming days. It may not be an apocalypse, but Heartbleed is a good reminder for everyone to change sensitive passwords regularly.

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

Politics

Smash and Grab

Will competitive Senate contests in Kansas and South Dakota lead to more late-breaking races in future elections?

I Am 25. I Don't Work at Facebook. My Doctors Want Me to Freeze My Eggs.

The XX Factor
Oct. 20 2014 6:17 PM I Am 25. I Don't Work at Facebook. My Doctors Want Me to Freeze My Eggs.

Republicans Want the Government to Listen to the American Public on Ebola. That’s a Horrible Idea.

The Most Ingenious Teaching Device Ever Invented

Tom Hanks Has a Short Story in the New Yorker. It’s Not Good.

Brow Beat

Marvel’s Civil War Is a Far-Right Paranoid Fantasy

It’s also a mess. Can the movies do better?

Watching Netflix in Bed. Hanging Bananas. Is There Anything These Hooks Can’t Solve?

The Procedural Rule That Could Prevent Gay Marriage From Reaching SCOTUS Again

  News & Politics
Politics
Oct. 20 2014 8:14 PM You Should Be Optimistic About Ebola Don’t panic. Here are all the signs that the U.S. is containing the disease.
  Business
Moneybox
Oct. 20 2014 7:23 PM Chipotle’s Magical Burrito Empire Keeps Growing, Might Be Slowing
  Life
Outward
Oct. 20 2014 3:16 PM The Catholic Church Is Changing, and Celibate Gays Are Leading the Way
  Double X
The XX Factor
Oct. 20 2014 6:17 PM I Am 25. I Don't Work at Facebook. My Doctors Want Me to Freeze My Eggs.
  Slate Plus
Tv Club
Oct. 20 2014 7:15 AM The Slate Doctor Who Podcast: Episode 9 A spoiler-filled discussion of "Flatline."
  Arts
Brow Beat
Oct. 20 2014 6:32 PM Taylor Swift’s Pro-Gay “Welcome to New York” Takes Her Further Than Ever From Nashville 
  Technology
Future Tense
Oct. 20 2014 4:59 PM Canadian Town Cancels Outdoor Halloween Because Polar Bears
  Health & Science
Medical Examiner
Oct. 20 2014 11:46 AM Is Anybody Watching My Do-Gooding? The difference between being a hero and being an altruist.
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.