Skip to main content

Heartbleed bug affects ‘almost everyone,’ expert warns

Experts say the Heartbleed OpenSSL bug — a flaw in the network software meant to protect your data — may have actually allowed hackers to steal the very data it’s meant to guard. Think you’re safe from this obscure bug in OpenSSL, whatever that is? Think again. One expert noted that “almost everyone” uses it. 

“Given that over half of the world’s webservers use Apache, and Apache uses OpenSSL, the majority of people are using applications built on top of OpenSSL on a regular basis,” explained Steve Pate, the Chief Architect at cloud services company HyTrust.

Recommended Videos

The Heartbleed bug is a security hole discovered in OpenSSL, widely used network software that encrypts the sensitive data you input into many popular websites. The flaw allows hackers to steal data directly from the memory chips of servers all over the world, and has been in existence for roughly two years. Jean Taggart, a Senior Security Researcher at Malwarebytes, which makes popular anti-malware software, described it as an easy way for crooks to invisibly sweep up your data.

MORE: What is the Heartbleed Bug?

“This vulnerability gives cyber criminals a method for collecting very sensitive information, like private encryption keys. If an adversary has extracted the private key through the Heartbleed vulnerability, they can impersonate the victim, and set up an undetectable man-in-the-middle attack,” Taggart said.

OpenSSL has a history of being vulnerable to attacks, Pate says, with the first flaw spotted by HyTrust back in May of 2009. However, Pate also notes that though OpenSSL 1.0.1 and 1.0.2-beta already have Heartbleed bug fixes available, if the affected versions are being used, the exploit may have already been used by hackers to swipe sensitive data.

 Taggart also explained that exterminating the security flaw will be no easy task.

“Fixing this bug will not be trivial, because even though security professionals can roll out an upgrade, many will not reset their certificates as this is a difficult and lengthy task. So if they were compromised prior to the announcement of the bug, their private keys might already be in the hands of adversaries, and their encrypted communications could be intercepted by third parties.”

MORE: Which websites are affected by the Heartbleed Bug?

Nathaniel Couper-Noles, a Principal Security Consultant at security firm Neohapsis, said that though there are workarounds and fixes available to combat Heartbleed, “the horse may already be out of the barn.”

“Many organizations aren’t instrumented to identify whether and where they’re vulnerable, the attack may leave no footprint discernable from legitimate traffic, and the consequences can potentially be long term,” Couper-Noles said. On top of that, Couper-Noles noted that there could be “hundreds or thousands of affected systems” across the world’s businesses.

At this point, changing your passwords is the best course of action you can take to protect yourself from the Heartbleed bug. On top of that, avoiding the webpages on this list of sites that are allegedly affected by the OpenSSL flaw is also highly recommended.

Image credit: http://www.wallpaperzzz.com

Konrad Krawczyk
Former Digital Trends Contributor
Konrad covers desktops, laptops, tablets, sports tech and subjects in between for Digital Trends. Prior to joining DT, he…
Why writing with ChatGPT actually makes my life harder
ChatGPT prompt bar.

I remember when ChatGPT first appeared, and the first thing everyone started saying was "Writers are done for." People started speculating about news sites, blogs, and pretty much all written internet content becoming AI-generated -- and while those predictions seemed extreme to me, I was also pretty impressed by the text GPT could produce.

Naturally, I had to try out the fancy new tool for myself but I quickly discovered that the results weren't quite as impressive as they seemed. Fast forward more than two years, and as far as my experience and my use cases go, nothing has changed: whenever I use ChatGPT to help with my writing, all it does is slow me down and leave me frustrated.

Read more
9 macOS Sequoia features every Mac user should know
macOS Sequoia being introduced by Apple's Craig Federighi at the Worldwide Developers Conference (WWDC) 2024.

Apple’s macOS Sequoia operating system launched with a whole heap of interesting new features, and there’s a lot to try if you’ve just recently updated your Mac. But which new additions are worth your time, and which can be passed over?

That’s the question we’re aiming to answer today. We’ve scoured macOS Sequoia to find the nine key features that every Mac user should know about. From Apple Intelligence to iPhone Mirroring, these are the tools and technologies that you’ll want to try next.

Read more
Meta is training AI on your data. Users say opting out doesn’t work.
Meta AI WhatsApp widget.

Imagine a tech giant telling you that it wants your Instagram and Facebook posts to train its AI models. And that too, without any incentive. You could, however, opt out of it, as per the company. But as you proceed with the official tools to back out and prevent AI from gobbling your social content, they simply don’t work. 

That’s what users of Facebook and Instagram are now reporting. Nate Hake, publisher and founding chief of Travel Lemming, shared that he got an email from Meta about using his social media content for AI training. However, the link to the opt-out form provided by Meta doesn’t work.

Read more