On April 1st last month, Neel Mehta of Google Security discovered a flaw in the OpenSSL cryptographic library, which is an encryption technology used to secure over two-thirds of the internet traffic. (Yes, this is the lock that appears on your browser's address bar indicating the site is safe). Very soon on April 4th, a security team at Codenomicon also discovered this bug and named it Heartbleed and also gave a logo to it.
This bug was later reported on countless sites and media as the most catastrophic vulnerability ever discovered since the flow of internet traffic started.
What can the bug do?
The flaw in OpenSSL technology meant that any skilled hacker would be exposed to critical information ranging from your username-passwords to your credit card details. And that too without being traceable.
What kind of websites can the bug affect?
According to the official website of Heartbleed, "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL". Which is around 66% of today's internet !
What can be affected by Heartbleed?
Popular websites listed below were vulnerable or suspected to be vulnerable to the attack. However they have been quickly fixed to prevent Heartbleed.
- Yahoo
- Gmail
- Youtube
- Tumblr
- Yahoo Mail
- GoDaddy
- Dropbox
- OkCupid
Heartbleed can not only attack websites but applications too. Many of the android 4.1.1 apps are believed to be susceptible to the attack. However, google has a pushed a patch to device manufacturers. There are various tools out there which can tell you whether a site or an app is vulnerable or not.
Is Heartbleed still active?
A patched version of OpenSSL was released on April 7th, the day the bug was disclosed to the public. However, it would be wise for you to change the passwords of websites which you hold dear.
Since when is Heartbleed active?
Heartbleed was found only in version 1.0.1 of OpenSSL which was released on March 14, 2012. And from then until April 1, 2014, nobody detected the bug and websites and apps were susceptible to the attack !
How did Heartbleed appear?
A programmer called Robin Seggelmann created an extension called Heartbeat (hence the name Heartbleed) and submitted the code for review to Stephen N. Henson, a core developer at OpenSSL who failed to notice the bug and integrated it to the source code.
How does Heartbleed work?
Considering the Client-Server model, in a typical Heartbeat scenario, the Client requests information using a Heartbeat message (having a maximum of 64KB memory) from the server. Example, if the client asks for a 7 letter word, say Address, the server replies with a 7 letter word Address, irrespective of whether the word occupied the entire 64KB of memory or not (the bug).
Heartbleed exploits this scenario by asking the client to send a 500 letter word Address, and the server now sends the entire information contained in a memory occupied by a 500 letter word along with Address, say Address, No.21, ABC Lane, Password is 123@XYZ, basically whatever was stored in the active 64KB of memory of the server after Address.
For more info : heartbleed
0 comments:
Post a Comment