Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday.
The bug was reportedly discovered by a member of Google’s security team and a software security firm called Codenomicon.
A number of other websites may, according to a list being distributed on GitHub, be vulnerable to the bug as well.
The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.
And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.
A security patch for the bug was announced on Monday, but many websites are still playing catch up. That’s why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.
One of the messages on the Heartbleed homepage, a site created to address the bug, states:
[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content… As long as the vulnerable version of OpenSSL is in use it can be abused.
On the GitHub list, some of the websites deemed “not vulnerable” to the Heartbleed bug include Google, Tumblr, FourSquare, Evernote and many others.
Another helpful site called the Heartbleed Checker, launched by LastPass, allows you to enter the URL of any website to check its vulnerability to the bug.
3 things you can do to protect yourself
In the meantime, while websites are installing the latest version of OpenSSL to fix the bug, it would be a good idea to wait for confirmed updates on your favorite websites and services and then change your password, just to be as safe as possible.
Have something to add to this story? Share it in the comments.