Security experts are urging consumers to change their Web passwords after the recent disclosure of a vulnerability touching wide swaths of the Internet, even as Google Inc. , Facebook Inc. and large banks said they weren’t affected.
The flaw to OpenSSL, an open-source software that runs on as many as two-thirds of all active websites, was reported on April 7, by researchers who pushed out a fix.
Dubbed Heartbleed, the bug could have allowed hackers to access encrypted e-mail messages, banking information, user names and passwords.
The flaw involving a two-year-old programming mistake was discovered by researchers from Google and Codenomicon, a security firm based in Finland, and reported to OpenSSL, according to a blog post from Codenomicon.
Google and Facebook said they addressed the problem before it was made public and saw no signs of vulnerabilities, while Yahoo! Inc. (YHOO) made the requisite fixes.
Yahoo’s Patch
“A vulnerability, called Heartbleed, was recently identified impacting many platforms that use OpenSSL, including ours,” Yahoo said in an e-mailed statement.
Before Yahoo issued its fix, security researcher Mark Loman from the Netherlands demonstrated Tuesday on Twitter that he was able to force the site to leak usernames and passwords.
“It wasn’t Yahoo’s fault, yet they’re very slow at installing the critical fix,” Loman wrote on his Twitter Inc. (TWTR) account. “Bug disclosure was flawed too.”
Extra Protection
Many large consumer sites running OpenSSL aren’t vulnerable to being exploited because they use specialized encryption equipment and software.
“The security of our users’ information is a top priority,” Google said in a statement yesterday.
In a statement, Facebook said it “added protections for Facebook’s implementations of OpenSSL before this issue was publicly disclosed, and we haven’t detected any signs of suspicious activity on people’s accounts.”
Tests on the home pages of other large technology, e-commerce and banking companies including Microsoft Corp., Amazon.com Inc. and Bank of America Corp. indicated they weren’t vulnerable.
Related Posts
- 30When Gabriel Weinberg launched a search engine in 2008, plenty of people thought he was insane. How could DuckDuckGo, a tiny, Philadelphia-based startup, go up against Google? One way, he wagered, was by respecting user privacy. Six years later, we're living in the post-Snowden era, and the idea doesn't seem…