The Heartbleed Bug is an OpenSSL vulnerability that would allow malicious hackers to steal information from websites that would normally be protected by the SSL/TLS encryption. The open source OpenSSL cryptography library is used to implement the Internet’s Transport Layer Security (TLS) protocol.
Named by the researchers who discovered the security flaw, the Heartbleed Bug theoretically lets anyone on the Internet access a secure Web server running certain versions of OpenSSL to obtain site encryption keys, user passwords and site content.
According to the official Heartbleed Bug website, OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable while OpenSSL version 1.0.1g patches the security flaw.
Heartbleed Flaw Creation and Bug Discovery
The Heartbleed bug was initially discovered by Google engineer Neel Mehta and the Finnish security firm Codenomicon. The security flaw was introduced in the open source OpenSSL encryption protocol by German software developer Robin Seggelmann. Since the flaw has become widely known, Seggelmann has said the bug was inadvertently missed by himself and another code reviewer and the bug was not inserted maliciously, despite online conspiracy theories concerning Heartbleed, such as NSA using the Heartbleed bug to spy.
The Heartbleed Bug in the News
Heartbleed Bug Rumors
RCMP asked Revenue Canada to delay news of SIN thefts
Heartbleed bug bites millions of Android phones
Heartbleed bug: What s affected and what passwords you need to change
Tests confirm Heartbleed bug can expose server’s private key
Heartbleed Attacks
There are few documented cases of attacks exploiting the Heartbleed bug, but security experts warn that using the bug would leave no trace and all websites using the affected OpenSSL versions should be considered compromised.
While many large sites, including Google, Facebook and others were quick to note services were “safe” from Heartbleed, the public announcement on April 8, 2014 seems to have prompted attacks. The Canada Revenue Agency (CRA) shut down it public online services to patch for the flaw but before the fix was implemented the CRA said 900 social insurance numbers were stolen from CRA computers by persons exploiting the Heartbleed bug.
In another reported attack, UK-based parenting website, Mumsnet, also claims to have experienced a breach where the infiltrator claimed to have used Heartbleed to access an account. The site provided some details to its users along with instructions on how to reset site passwords.
Heartbleed: Beyond the Internet
The Heartbleed bug extends beyond the Internet. For example, mobile devices running the 4.1.1 Android operating system (released in 2012) have the Heartbleed software bug. All other versions are immune to the flaw, but this leaves millions of smartphones and tablets vulnerable. In addition, operating systems, including Debian Wheezy (stable), Ubuntu 12.04.4 LTS, CentOS 6.5, OpenBSD 5.3 and OpenSUSE 12.2 are versions that have shipped with a vulnerable OpenSSL version (see full list).