It was released this week, a serious security flaw in OpenSSL, an implementation of open source often used to create secure connections using SSL and TLS protocols, such as those available on web pages with the famous padlock for security. To be exploited, the vulnerability allows a criminal to access the memory of the affected server and obtain sensitive information such as passwords and bank details.
The gap has existed for over two years and is being called Heartbleed, something like “bleeding heart” because it is in an extension called heartbeat that keeps active (or “living”) a secure connection. Through failure, a hacker can get 64 KB of data from the server every “heart beat” memory. It does not seem much, but the process can be repeated several times until the attacker is satisfied with the data obtained.
With the attack, it would be possible to leak emails, passwords, credit card numbers and other information HTTPS sites that, in theory, keep data safe by transferring them encrypted way between the server and the user. If the attack is carried out repeatedly, encryption keys of the services could be obtained to trick users with pages that seem reliable, but in the background are silently stealing data.
It is not necessary to take advantage of loopholes in the user’s computer to exploit the flaw; the hacker can directly attack an affected server. That is, users can not do much: just wait for server administrators to install the patch quickly to avoid leaks and revoke licenses in use. Linux distributions like Ubuntu 12:04 LTS, CentOS 6.5, Fedora 18 and Debian 7 had already distributed potentially vulnerable OpenSSL packages in the past. The version of OpenSSL 1.0.1g fixes the bug.
This is an error from OpenSSL, not the protocol, ie, services that use other implementations to provide secure connection should not be affected. The problem is that OpenSSL is extremely popular: among web servers that use OpenSSL are Apache and nginx, which account for about two-thirds (66%) of all active web sites, according to Netcraft . Moreover, it is also used by many VPNs and email and chat servers. Therefore, it is likely that you have been directly or indirectly affected.
Fortunately, companies like Google, Facebook and Amazon were not affected, but a list on GitHub shows some well-known sites, at least until yesterday, were potentially vulnerable, such as Yahoo, Flickr, 500px, Redtube (!), OkCupid, Steam, XDA Developers, WeTransfer and StackOverflow. This tool , while making few errors and false positives, is a good starting point to see if the websites you were vulnerable.
As the fault was present in OpenSSL for two years and can be exploited without a trace, will probably never know the amount of data that were obtained from the vulnerability. However, it is a good idea to change your passwords on sites listed above (Tumblr has announced that users ) and to monitor more closely the invoice credit card to detect suspicious transactions.
You can get more information about the Heartbleed on this site .