This week it’s come to light that an extremely serious security breach may have affected countless web services. The OpenSSL library is used by a huge number of web servers to manage SSL and TLS security protocols. Given that the discovered breach has existed since December 2011, all the alarms have been sounded and companies like Google and Facebook are now taking measures to resolve it. Although this problem may not affect users directly, many services have recommended that you change your passwords.
HearthBleed: The Internet bleeds
We’re going to try to explain the problem as simply as possible so everybody understands the importance of this situation. The breach could allow an attacker to inject code into a server to “trick” it by sending a data package of a fake size that can hide data and capture your security credentials. This page offers more in-depth information on the nature of the breach.
Now imagine that this attack has taken place, for example, on a Facebook server, and as you do every day, you log in with your details on your computer or smartphone to access the social network, so that your computer completes the request to the corresponding server that provides that service. But what if the hacker manages to get past that server by taking advantage of the security breach? Well, you’d be sending your Facebook password to a stranger.
What can you do to protect yourself?
Since the problem surfaced, a huge number of companies that use OpenSSL have released statements on the situation. Mashable has created a complete list of the major services affected by the events and the measures to take into account for those whose security has been compromised:
- Facebook: Although no evidence of an attack has been discovered, it’s strongly recommended to change your password.
- Tumblr: The security breach has been corrected, but it’s still suggested that you change your password.
- Twitter: No statement has been made and it is unknown whether the network has been affected.
- Yahoo(Mail): Has been affected; the company is working on a solution; in the meantime, change your password.
- Dropbox: Has resolved the problem, though it’s still recommended that you change your password.
Many other services have also been compromised, such as LastPass, SoundCloud, OKCupid, or Wunderlist. Even gaming servers like Minecraft temporarily paused all their activity until they could launch a patch for the gaming client. To be totally safe, according to the TOR Foundation, it’s recommended to stay off the Internet for a few days.
Such is the number of compromised websites that the most sensible thing is to occasionally check each service that you use one by one to see if they’ve been affected or if they’ve already resolved the problem. This page shows if a website has already resolved the CVE-2014-0160 bug (the official name for the error).