Web security in doubt after discovery of 'Heartbleed' flaw

Millions of websites, online stores and social networks are operating with a major security hole in place, exposing user information and financial information to hackers.

That's because a core safety mechanism used to secure the internet has a flaw in it. Worse still, it has been in place for over two years and experts are unsure if it has been exploited for criminal or espionage purposes.

Late on Tuesday, the bombshell hit the web: a Google security engineer and some other researchers published information indicating they had discovered a serious flaw, dubbed "Heartbleed", in numerous versions of the OpenSSL cryptographic software library, which is used to secure millions of websites.

Tech news website The Verge labelled it "the most dangerous security flaw on the web".

"It is catastrophically bad," ICSI security researcher Nicholas Weaver told the publication.

Anonymisation software service Tor put it more bluntly: "If you need strong anonymity or privacy on the internet, you might want to stay away from the internet entirely for the next few days…"

"This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Yahoo's Tumblr said.

"This ... means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit."

Meliisa Elliot, a security researcher, noticed the flaw affecting a number of Yahoo websites - including the Yahoo.com search engine, email service mail.yahoo.com, and photography site Flickr.com - and suggested that users of those sites should stay away from them until they were patched.

Others echoed her concerns, saying that the only way internet users could be sure they were safe was to stop using vulnerable websites while they were unpatched, and to change their passwords after that. (A helpful tool at filippo.io/Heartbleed shows if a site is vulnerable.)

The flaw allowed anyone to grab credentials from a web server in plain text. In Yahoo's case,this was possible for most of Tuesday until it patched its sites on Wednesday.

Australian IT security expert Chris Gatford, of HackLabs, wrote in a blog post that about 10 per cent of the Australian Stock Exchange top 200 companies used vulnerable versions of OpenSSL as of Tuesday night. Although some might dismiss the flaw, he was concerned by it.

A separate search of Alexa's top 10,000 websites on the internet performed by former Lulzsec hacker Mustafa Al-Bassam found about 629 of them vulnerable to the flaw.

"...We have been able to dump from the affected servers plain text usernames and passwords, session cookies of banking customers and other information that would at the least allow compromise of user accounts etc. from the affected web applications running on the tested servers," Mr Gatford said.

While usernames and passwords were exposed, if an attacker had access to a user's session cookie, they could log-in as the user without their password, as the cookie acts as their log-in.

A search by Fairfax Media using publicly available vulnerability testing websites uncovered retailer JB Hi Fi's website jbhifionline.com.au was vulnerable to the flaw on Tuesday, as well as cert.gov.au, the Australian government's Community Emergency Response Team website.

Priceline's priceline.com.au and the Commonwealth Courts portal comcourts.gov.au were also vulnerable.

Comment is being sought from these organisations by Fairfax as to what they will be doing to address the issue.

JB Hi Fi chief executive Terry Smart said JB Hi Fi's website used Amazon Web Services,which was vulnerable to the flaw until late on Tuesday.

"We're updating all of our [SSL] certificates to protect against this potential issue," Mr Smart said.

"No attacks have been identified by both our internal and external scans and we're confident that no data breaches have occurred."

The flaw

OpenSSL is one way to implement the cryptographic protocol Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), on web servers. Most consumers know when these protocols are implemented when they see "https" and a padlock in their browser.

The padlock is the indication web users look for to be assured a website is safe and transmitting their data in a secure manner. It essentially means that the connection between the user and the server is encrypted and can't be snooped on. The idea behind using this is so that anyone attempting to perform a "man in the middle" attack can't see the data transmitted. This means that even if a rogue network administrator at an internet service provider was in the "middle" of your connection and tried to intercept it they would be unsuccessful and get encrypted data they couldn't decrypt.

But thanks to the flaw the IT security researchers found, in many instances the way the encryption has been implemented on the server side across large swathes of the internet has been flawed. It's meant that an attacker with knowledge of it would have been able to get servers to spit out data previously thought to be secure by injecting the server with exploit code.

That leaky data was coming out in chunks from a server's memory, and a number of proof of concepts built overnight show that lots of private user data can be extracted from a server over time.

Attackers could do this all remotely, the researchers who found the flaw said. Further, it's thought that a server's "crown jewels" - the private keys it uses to encrypt data between it and users - could have also been stolen using the flaw, as it allowed for not only client data to be stolen but server data.

It may sound boring, but many IT security experts have told Fairfax Media, publisher of this article, that it's really important for internet users to understand the flaw and the risks.

"You are likely to be affected either directly or indirectly," the researchers who found the flaw said of the bug.  "OpenSSL is the most popular open source cryptographic library and Transport Layer Security implementation [is] used to encrypt traffic on the internet.

"Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL."

With the private keys potentially having been stolen, it means affected companies now face making a decision of whether they need to renew and regenerate their private keys - at a cost. This can vary from a couple of dollars to thousands depending on the type of key purchased.

As of Wednesday morning, hacking search engine tool Shodan was showing there were at least 576,231 devices worldwide with vulnerable versions of OpenSSL running on them. Of those, 6270 were based in Australia. The numbers are by no means comprehensive - as Shodan doesn't index the entire internet - and they may include some servers that aren't affected.

Security experts are encouraging users to wait until the sites they use patch their OpenSSL and issue new certificates before recommending they change their passwords.

Smartphone
Tablet - Narrow
Tablet - Wide
Desktop