Home / Tech / Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords

Widespread Encryption Bug, Heartbleed, Can Capture Your Passwords

Some websites running SSL encryption, such as Airbnb, Pinterest, USMagazine.com, NASA, and Creative Commons, among others, were exposed to a major security bug called Heartbleed on Monday.

The bug was reportedly discovered by a member of Google’s security team and a software security firm called Codenomicon.

A number of other websites may, according to a list being distributed on GitHub, be vulnerable to the bug as well.

The bug affects web servers running Apache and Nginx software, and it has the potential to expose private information users enter into websites, applications, web email and even instant messages.

And while most security experts advise that you always use websites and services offering SSL security encryption whenever possible, the Heartbleed bug has the ability to allow malicious operators to defeat this security layer and capture passwords as well as forge authentication cookies and obtain other private information.

A security patch for the bug was announced on Monday, but many websites are still playing catch up. That’s why websites like the Tor Project are, only somewhat tongue-in-cheek, advising that you stay off the Internet this week if you really care about your security.

One of the messages on the Heartbleed homepage, a site created to address the bug, states:

[The Heartbleed bug] compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content… As long as the vulnerable version of OpenSSL is in use it can be abused.

So far, some of the services and websites that have confirmed an OpenSSL software security update include WordPress, Amazon Web Services, Akamai and others.

On the GitHub list, some of the websites deemed “not vulnerable” to the Heartbleed bug include Google, Tumblr, FourSquare, Evernote and many others.

Another helpful site called the Heartbleed Checker, launched by LastPass, allows you to enter the URL of any website to check its vulnerability to the bug.

3 things you can do to protect yourself

  • Wait for an official announcement from any secure website or service that you normally use regarding a security update.
  • After you’ve confirmed that the site or service has installed a security update, change your passwords.
  • For at least the next week, keep an eye on any of your sensitive online accounts (banking, webmail) for suspicious activity.
  • In the meantime, while websites are installing the latest version of OpenSSL to fix the bug, it would be a good idea to wait for confirmed updates on your favorite websites and services and then change your password, just to be as safe as possible.

    Have something to add to this story? Share it in the comments.

    Source: Mashable

    About PingTheNews

    A place for tips, technology, freebies, deals, how-to's, Inspiration and the latest information for Connected Generation.

    Check Also

    iOS-12

    iOS 12 Reports Unwanted Texts & Calls As Spam

    iOS 12 includes a notable update for handling spam messages and calls. As outlined on …