San Francisco, CA, United States (4E) – A newly-found flaw in OpenSSL, the software than encrypts and secure online transactions, is being exploited by hackers to steal passwords and other user data from computer servers, according to an Internet security company.
The flaw is a bug called Heartbleed and it reads the memory of a computer using vulnerable OpenSSL versions to also steal source codes, and “keys” allowing hackers to impersonate websites or unlock encrypted data, the Netherlands-based Fox-IT said. Fox-IT said the bug has been in existence for two years already but was discovered only days ago.
Heartbleed.com, a website put up by Finish company Codenomicon to answer questions about the bug and assist Internet users in dealing with it, warns that once the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content are stolen, hackers or anyone can use it to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users. Codenomicon tested the bug to confirm its capability.
Security researchers reportedly tried the bug on Yahoo and was able to steal passwords prompting the Internet company to patch vulnerabilities.
The developer of the OpenSSL urged users to upgrade to an improved and secure version of the cryptographic software. It issued software patches and updates on Tuesday and released Fixed OpenSSL.
Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users, Heartbleed.com said on its website. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use, it added.
Heartbleed.com advised Internet users to change their passwords for applications such as web, email, instant messaging and some virtual private networks.