Public Urged to Change Passwords as Major Security Bug Revealed

Huw Oxburgh's picture
Authored by Huw Oxburgh
Posted Wednesday, April 9, 2014 - 5:34pm

Major tech firms are urging people to change all their passwords after the discovery of a major security flaw affecting around 66% all internet sites.

The flaw dubbed the ‘Heartbleed Bug’ by major web security firms Google Security and Codnomicon,   affects a widely used piece of data safeguarding software called OpenSSL.

The software is reportedly used on around 66% of all internet sites and while not all are thought to be vulnerable several major sites including flickr, okcupid and the video games forum steam community were vulnerable as of yesterday.

The Yahoo blogging platform Tumblr became the first major site to react to the news and has advised users to: "change your passwords everywhere - especially your high-security services like email, file storage and banking".

The flaw has allowed potential ‘hackers’ to randomly pull small bits of data from a server, over and over, until gaining the private keys needed to read all of the information that's there.

This could potentially lead to hackers gaining individual’s information such as passwords, and there on to other sites. 

On the website heartbleed.com written by Codeomicon- a finnish web security company writes: “We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace.

“Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates [web security certificates], user names and passwords, instant messages, emails and business critical documents and communication.”

While Google and Codeomicon believe that the flaw has existed for around two years there is no way to know if it had been widely used or even discovered in this time.

However, now the problem is public, many will be seeking to exploit the flaw before it is fixed.

While some sites are now already running fixed versions of OpenSSL and are already secure other sites are still exposed.

The flaw has worried many of the world’s largest websites and security companies some of which have gone as far as suggesting people remain off the internet for several days until the problem is resolved.

However, researcher at the University of Cambridge Computer Laboratory Dr Steven Murdoch is unconvinced by the web industry’s  panic.

Speaking to the BBC’s Technology desk editor, Leo Kelion, Dr Murdoch said: "I think there is a low to medium risk that any given password has been compromised,"

"It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.

"But changing your password is very easy. So it's not a bad idea but it's not something people have to rush out to do unless the service recommends you do so."