The general populace are being urged to change passwords following the discovery of a security flaw.
A product, known as OpenSSL, a popular cryptographic library used to digitally scramble and safeguard sensitive data, could be compromised. Internet users will see a padlock in the web browser, indicating if an organisation uses OpenSSL, although it is possible for rival security products to also show this symbol.
Tumblr, Yahoo blogging platform, has advised the public to ‘change your passwords everywhere – especially your high-security services like email, file storage and banking’.
It has been revealed, by Google and the security firm Codenomican that the flaw has existed for two years and could allow the exposure of secret keys identifying the organisations utilising OpenSSL. Copies of the keys could be used by attackers to steal the names and passwords of those using these organisations services.
The fault has been named the ‘Heartbleed Bug’ as it caused the leak of memory contents between servers and clients. It is unclear if such exploitations have been used as they leave no trail.
Google has, as it is understood, informed a select number of organisations before they released the information into the public domain, in order the allow them to update to the newest version of OpenSSL, released earlier this week.
Yahoo, however, were not one of those informed, resulting in passwords and usernames being exposed prior to the company applying the fix.
A spokeswoman for Yahoo said that,
“Our team has successfully made the appropriate corrections across the main Yahoo properties – Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr – and we are working to implement the fix across the rest of our sites right now.”
NCC Group, a cybersecurity company, and advisory to enterprises of the FTSE 250, described the situation as “grave”. Associate Director, Ollie Whitehouse, told the BBC that,
“The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago.
“Someone with a moderate level of technical skills running their own scripts – the Raspberry Pi generation – would probably be able to launch attacks successfully and gain sensitive information.
“As long as service providers have patched their software it would now be a prudent step for the public to update their passwords.”
Dr Steven Murdoch, Researcher at the University of Cambridge Computer Laboratory, has said that the threat is not as urgent as cases where confirmed password lists are posted online,
“I think there is a low to medium risk that any given password has been compromised […]But changing your password is very easy. So it’s not a bad idea but it’s not something people have to rush out to do unless the service recommends you do so”.
Codenomicon believe over 66% of active internet sites rely on OpenSSL. To help find out if services are still vulnerable, several online tests have been published, such as the Qualys SSL Sever Test here.
Source: BBC News