Updated | A flaw has been discovered in one of the Internet’s key security methods, potentially forcing a wide swath of websites to make changes to protect the security of consumers.
The problem was first discovered by a team of Finnish security experts and researchers at Google last week and disclosed on Monday. By Tuesday afternoon, a number of large websites, including Yahoo, Facebook, Google and Amazon Web Services, said they were fixing the problem or had already fixed it.
Researchers were still looking at the impact on consumers but warned it could be significant. Users’ most sensitive information — passwords, stored files, bank details, even Social Security numbers — could be vulnerable because of the flaw.
The most immediate advice from security experts to consumers was to wait or at least be cautious before changing passwords. Changing a password on a site that hasn’t been fixed could simply hand the new password over to hackers. Experts recommended that, before making any changes, users check a site for an announcement that it has dealt with the issue. “This is a good reminder that there are many risks online and it’s important to keep a watchful eye around what you’re doing, just as you would in the physical world,” said Zulfikar Ramzan, the chief technology officer of Elastica, a security company.
The extent of the vulnerability was unclear. Up to two-thirds of websites rely on the affected technology, called OpenSSL. But some organizations appeared to have had advance notice of the issue and had already fixed the problem by Tuesday afternoon. Many others were still working on restoring security.
Because attackers can use the bug to steal information unnoticed, it is unclear how widely the bug has been exploited — although it has existed for about two years. On Github, a website where developers gather to share code, some were posting ways to use the bug to dump information from servers. The Finnish security researchers, working for Codenomicon, a security company in Saratoga, Calif., and security researchers at Google found the bug in a portion of the OpenSSL protocol — which encrypts sessions between consumer devices and websites — called the “heartbeat” because it pings messages back and forth. The researchers called the bug “Heartbleed.”