A security flaw in software that’s used to secure the information of millions of Internet users could leave private information such as passwords and credit card numbers unprotected. This flaw effects systems like Ubuntu, which are generally considered very secure.
This vulnerability is called Heatbleed and experts say it works like a skeleton key that could allow hackers to open the accounts of users and take whatever private information they want. The flaw is found in open-source software OpenSSL and it can let hackers access the memory of a server where sensitive data is stored. This includes usernames, passwords and even your credit card and bank account numbers. It’s estimated that this bug could affect one third of the secure sites on the Internet. This flaw does not affect Windows Cryptographic API.
Social sites, government sites and online stores are all possibly affected. And many open source web servers like Apache use Open SSL. This bug will most likely affect commercial and government sites instead of home computers, but these are sites where private information of users are stored. And this bug leaves almost no trace behind that anything has been accessed.
Among operating systems affected by Heartbleed are:
- Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4
- Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11
- CentOS 6.5, OpenSSL 1.0.1e-15
- Fedora 18, OpenSSL 1.0.1e-4
- OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012)
- FreeBSD 10.0 – OpenSSL 1.0.1e 11 Feb 2013
- NetBSD 5.0.2 (OpenSSL 1.0.1e)
- OpenSUSE 12.2 (OpenSSL 1.0.1c)
CentOS, DEbian, Fedora, Red Hat, openSUSE and Ubuntu have already issued fixes. Google also reports that it has patched services like Gmail, Google Play, You Tube and Apps and Amazon says it has already patched affected services.
They can also steal the company’s private information and use it as a form of corporate ID theft and impersonate the businesses to access the data of customers. One of the larger companies affected is Yahoo! People testing out the bug were able to pull usernames and passwords for Yahoo accounts easily. Click here to use the LastPass checker to see if a site you visit is vulnerable.
As we said, sites are fixing the flaw. But there’s no way now to know whose information may have been accessed. As always, it’s a good idea to watch your credit card statements closely. And if you have an account with any affected service, it’s a good idea to change your password.