The bug that rocked the foundations of the web
FORTUNE — Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The bug has been in the wild for more than two years, and leaves no trace of suspicious activity. Some estimates suggest that two-thirds of the web has been at risk since 2011.
Heartbleed affects OpenSSL, one of the key technologies used to encrypt data online. It allows attackers to retrieve sensitive information such as usernames, passwords and credit card details from servers running the software. While OpenSSL is not used by the likes of Google, Microsoft and Apple, it’s a popular choice for countless companies large and small.
A hacker making use of the Heartbleed vulnerability can “fish” for random chunks of data on a vulnerable server. While these chunks are small, the process can be repeated again and again, and leaves no trace of any breach. The data packets returned to the hacker could include log in details, private information, email messages and even encryption keys. Those keys are particularly important, allowing a hacker to successfully emulate the site in question, leaving no clue that it isn’t genuine.
Investigative journalist and security researcher Brian Krebs has posted in depth about the exploit. He tells Fortune: “Attackers can steal the ‘keys to the kingdom,’ as it were — the private encryption keys that websites use to encrypt and decrypt all communications with visitors. As broad-scale Internet vulnerabilities go, this one is about as dangerous as it gets. While there are probably fewer than a half million sites that are vulnerable right now, many of the vulnerable sites have millions or even hundreds of millions of users.”
Krebs points to online lists and tools that can be used to test for Heartbleed. Big-name portals such as Yahoo, Flickr, OKCupid, Zoho, 500px, Imgur and even the F.B.I. were identified as being vulnerable as the news broke. Many sites have now put fixes in place — as of Wednesday morning, Yahoo says it has rolled out an upgrade for the majority of its sites. E-mail servers and instant messenger communications are also at risk.
For any company that has a presence on the web and uses OpenSSL, this means an urgent round of upgrading and patching — or an urgent call to the relevant web hosting firm. The latest version of OpenSSL fixes Heartbleed, but a lengthy and involved process of renewing security certificates and resetting encryption keys is also required. Even when the bug has been eradicated, there’s no knowing how much data was lost in the interim, and the repercussions could be felt for years to come.
“Many Internet users will probably be asked at least once this week to change their passwords at various sites,” Krebs says. “Affected website administrators have to replace the private keys and certificates for their OpenSSL installations after patching the bug. And since this exploit for many sites seems to leaves few traces behind, many organizations will probably want to be on the safe side and will be advising users to change their passwords as well.”
As far as end users are concerned, there’s not much choice but to sit it out and avoid affected sites until an update has been rolled out. Resetting passwords will help to shore up the breach, but only after the sites in question have been upgraded. The usual common sense approaches — keeping a close eye on credit card bills and watching for suspicious activity online — are among the best steps to staying safe.
“People often joke that ‘Oh, perhaps we should stay off the Internet’ in response to certain threats, but in this case I think that may not be a horrible idea,” Krebs says. “If you happen to log in to a site that is vulnerable, there is a more than trivial chance that some attacker will steal your credentials . . . the problem is that it’s not readily apparent to the end user which sites are fine and which are still vulnerable.”
The bug was first spotted by coders working for Google and Codenomicon, who posted an information page online and christened the vulnerability “Heartbleed” because it takes advantage of a common OpenSSL extension called Heartbeat. “Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL,” warns the announcement.
This week, IT managers across the globe will be working feverishly to get their systems up to date, and praying that no one took advantage of Heartbleed. The most worrying part? They may never know.