Skip to main content

Some sites have plugged Heartbleed, but thousands haven’t, says security firm

sites plugged heartbleed thousands havent says security firm bleeding heart

According to Computerworld, Sucuri Security, a Calif.-based Internet security outfit, says that of the top 1 million sites on the Web as ranked by Alexa (a service which measures what websites are most popular based on Web data that it gathers), as much as two percent of those sites are still susceptible to the Heartbleed OpenSSL bug. However, Sucuri exec Daniel Cid said in an email that the top 1,000 Alexa sites were all safe from the bug, or have been patched and are not at risk anymore. The findings are accurate as of last week.

Sucuri also found that 0.53 percent of the 10,000 most popular sites were vulnerable, with that number rising to 1.5 percent among the 100,000 most popular sites. The percentages break down like this: 53 of the top 10,000 sites were at risk, 1,595 of the top 100,000 sites were vulnerable, and 20,320 of the 1,000,000 most popular sites were still susceptible to Heartbleed.

“We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better,” Cid said in a blog post.

The Heartbleed bug allows hackers to send fake heartbeat messages, which can trick a website’s server into relaying data that’s stored in its memory. This includes sensitive information such as usernames, passwords, credit card numbers, emails, and more.

Internet security experts have expressed much concern regarding the impact that Heartbleed could have. Mike Lloyd, the CTO of RedSeal, a network security firm, said that people should “stop all transactions for a few days” once news of Heartbleed broke. Canada Revenue Agency took very serious measures in its efforts to defend against the threat, shuting down its website on April 8, and didn’t bring it back online until April 13.

“If you are not patched, be aware that people are out there trying to test and exploit this vulnerability and get your server patched as quickly as possible,” Cid warned.

Editors' Recommendations