This Giant Security Hole Could Impact A Huge Chunk Of The 'Secure' Web

Hackers are always inventing new backdoors and methods of breaching data, but a recently discovered bug appears to be more critical than most.

Nicknamed "the Heartbleed Bug," the new security flaw enables an attacker steal secure content and the encryption keys that protect that data, according to new reports. The Heartbleed Bug essentially does this by tricking secure servers - which handle encrypted data - into spitting out chunks of unencrypted data.

Secure servers are often used to store personal information. For example, this could include the encryption keys used to transmit your credit card number in the form of an unbreakable code when you make an online purchase.
An encryption key is a string of code that replaces plain text (such as the numbers and letters used in bank account numbers and passwords) while it's being transmitted between servers. This ensures that hackers can't read your sensitive information. For instance, encryption could translate a message as simple as "Hello!" to a "hashed" code like "F#h7er" before it reaches its recipient.

The Heartbleed Bug is specifically detrimental because it not only allows the attacker to crack these codes and read the protected data as if it were plain text, but it enables hackers to store the encryption keys as well. Once an attacker has the keys, he or she may be able to bypass security checks in your Web browser, according to TechCrunch.

The bug specifically affects "OpenSSL" - a hub that stores encryption keys used by a very large portion of the Internet's traffic. Open source Web servers that use OpenSSL account for 66 percent of sites on the Web, according to data from Netcraft's April 2014 Web Server Study.

The OpenSSL Project issued a security advisory on its website April 7, saying that any system running a version of OpenSSL from the past two years is at risk, according to TechCrunch.



Heartbleed logo

Security firm Codenomicon reports that any app or website running on OpenSSL could be affected. The firm has posted a lengthy FAQ detailing the issue and its potential impacts, which can be viewed here:

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company's site, commercial site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL.

What's more, Codenomicon said it tested the bug itself to understand the severity of its affects. Here's what the company found:

We have tested some of our own services from the attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able to steal from ourselves the secret keys used for our X.509 certificates [a standard cryptographic key], user names and passwords, instant messages, emails and business critical documents and communication.

The Heartbleed issue was originally spotted by Neel Mehta of Google Security and the team at Codenomicon. OpenSSL has since issued an emergency software update to address the bug.