PCR Tech and IT retail, distribution and vendor news
A vast number of websites running OpenSSL have been exposed to a major security bug called Heartbleed.
A scan performed by Mustafa Al-Bassam (a former member of the LulzSec hacker collective who is now a computer science student) was posted to Github.com on Monday and claims to show which of the top 1,000 websites have been compromised.
Those among the list includes Yahoo, Flickr, WeTransfer, Cheezburger, and Imgur.
You can view the full list here.
Other major sites have already released statements about the situation.
Google has admitted that Gmail was affected, but has released a patch, telling users that they do not need to change their passwords, but ‘better to be safe than sorry’.
While Amazon.com was not affected, Amazon Web Services (for website operators) was. Again, a patch has been implemented and while most services were unaffected, it is advised to change passwords.
Dropbox, SoundCloud and OKCupid are among others who were affected and have already taken the necessary steps to fix patches.
Internet users can visit filippo.io/heartbleed and type in a web address to see if the site has been fixed yet.
While many may be panicking about changing every password they’ve ever created, security experts are warning that it may not be as urgent a problem as some first thought.
“If a password has been compromised, it’s important to change it. However, in this case it will not help unless the fix for this vulnerability has been applied by the provider – since the new password could be compromised too,” David Emm, Kaspersky’s senior security researcher, told PCR.
OpenSSL is a popular cryptographic library used to digitally scramble sensitive data as it passes to and from computer servers.
The idea is that only the service provider and the intended recipients can make sense of the data, but Heartbleed leaves users’ passwords and other sensitive data open to being spied on.
Visitors know that a site uses OpenSSL if they see a padlock icon in their web browser.
It is thought that the bug may have already been around for two years.
“We don’t yet know to what extent this bug may have been exploited,” Emm said.
“That’s why it’s really important that providers of online services and any product that makes use of OpenSSL, make sure that they’re using the fixed version of the OpenSSL library.”
Green Man Gaming has also offered up advice on the matter. The games etailer has posted some information on its Playfire community blog detailing how Google Chrome users can check the HTTPS/SSL settings.
