Skip to main content

OpenSSL "Heartbleed" bug exposes user data to cyber criminals

Visitors to any one of hundreds of millions of websites on the Internet may have been subject to spying and eavesdropping due to a newly discovered bug.

Discovered by researchers working for Google and Codenomicon, the bug named "Heartbleed" unlocks a "serious vulnerability" in open-source security protocol library OpenSSL, allowing attackers to read stored memory on servers.

Exploiting this, criminals would be able to discover the keys used to encrypt and jumble data as it passes between a server and its users.

"This allows attackers to eavesdrop on communications, steal data directly from the services and users or impersonate services and users," wrote the team that discovered the vulnerability, according to a website dedicated to the findings.

Related: Google offering bounty for open-source bug fixes

A large portion of the Internet could be, by proxy, vulnerable too, as OpenSSL is used in server software that hosts more than 500 million websites. It is still unknown what proportion currently run the bug-susceptible versions.

"If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days while things settle," warned The Tor Project in a blog post.

Hackers exploiting the bug can only access 64K of memory during one iteration of the attack but can keep coming back time after time until enough secrets are revealed.

Attacks using the flaw also "leave no traces of anything abnormal happening to the logs," the researchers wrote.

It's unknown if anyone has in fact exploited the bug in the two years that it has been active, but the research team are urging for software upgrades to be made as soon as possible.