'Heartbleed' Bug Exposes Millions of Websites to Security Risks

Image: Heartbleed bug
There have been no documented instances of website attacks exploiting the Heartbleed bug.heartbleed.com via Tom's Guide

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.

Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data.

The Heartbleed bug, as it's called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site's encryption keys, user passwords and site content.

Once an attacker has a website's encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.

MORE: Best Antivirus Software 2014

There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.

There have been no documented instances of website attacks exploiting the Heartbleed bug.heartbleed.com via Tom's Guide

Websites that are currently vulnerable to Heartbleed exploits include Yahoo, Comixology, Flickr, Imgur and OculusVR. Many other top sites — including Facebook, Google, Wikipedia, Amazon, Twitter, Apple and Microsoft — are not currently vulnerable, though some may have been in the past.

Most secure websites encrypt traffic to and from their servers using a protocol called SSL/TLS. There are several different encryption "libraries" that can be used in this protocol, and one of the most widely used is an open-source library called OpenSSL.

The Heartbleed bug is in versions of OpenSSL issued from December 2011 onward, not in SSL/TLS itself. Not every instance of SSL or TLS encryption across the Internet is compromised. But OpenSSL is the default encryption library in Apache and Nginx server software, which power two-thirds of all websites.

An attack exploiting the Heartbleed bug would leave no trace in an attacked Web server's logs. It's impossible to tell how many sites, if any, may have been exploited, and how many may have been vulnerable over the past two years.

Neel Mehta of Google Security and a team of engineers at Oulu, Finland-based security company Codenomicon first discovered the Heartbleed bug, though they haven't specified when. They've created a FAQ page at heartbleed.com with full details.

UPDATE 5:15 PM EDT Tuesday: Several proof-of-concept attacks have succeeded against Yahoo Mail using this security flaw. Until Yahoo gives the all-clear, please do not log into Yahoo Mail or any other Yahoo sites that require a password.

— Jill Scharr, Tom's Guide

This is a condensed version of a report from Tom's Guide. Read the full report.

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+. Follow us @TomsGuide, on Facebook and on Google+.