Debunking hoaxes and exposing scams since 2003!

Hoax-Slayer Logo

Heartbleed Bug - Users Warned to Change All Passwords


Circulating messages warn users about a serious security flaw called 'Heartbleed' that could expose passwords and other sensitive information.E

Facebook phising
© filmstroemstock

Brief Analysis

The information in the warnings is valid. A vulnerability found in OpenSSL encryption software could allow criminals to gain access to sensitive data including login details. A new version of OpenSSL has been released that closes the security hole. Some security experts are advising people to change all of their passwords as soon as possible, and this advice is worth heeding. However, it should be noted that, until the fixed Open SSL has actually been implemented, any new passwords set by users may still be exposed.

Detailed Analysis

Various social media messages and online reports are warning users about a major security bug called 'Heartbleed'. The messages warn that a flaw in the OpenSSL cryptographic software library means that attackers could access user login details, financial information and other sensitive data. Many of the warnings urge users to change all of their passwords as quickly as possible.

The information in the warnings is true. Security experts recently discovered a significant flaw in OpenSLL that could indeed expose the sensitive data of Internt users.

Information about Heartbleed published by security management firm Codenomicon notes:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
A fixed version of OpenSSL has now been released and is ready to be deployed. It is now up to the vendors who use OpenSSL to implement the new version. Until vendors deploy the fixed Open SSL, the data of people who use connected services will still be vulnerable to attack.

Many security commentators are advising users to change all of their passwords immediately. As a precautionary measure, this advice is worth heeding. If the vendor that a website users has already deployed the fixed OpenSSL, then changing your password for that website should thwart attackers who may have harvested your information previously. If a vendor has not yet implemented the fix, changing your passwords now should stop any attackers from immediately accessing your accounts.

However, it is important to note that, until the fix is deployed, your new password will also be vulnerable. Thus, if you change your password for an account now and then subsequently learn that the service provider has just deployed the fix, it may be wise to change your password again.

At this point, it is unclear if the vulnerability has actually been abused 'in the wild' and, if so, how much data has been compromised. Dr Steven Murdoch, a University of Cambridge computer security expert notes in a BBC article:
'I think there is a low to medium risk that any given password has been compromised,'

'It's not the same as previous breaches where there's been confirmed password lists posted to the internet. It's not as urgent as that.
Nevertheless, this is a significant security threat and all Internet users would be wise to make themselves aware of the issue and carefully follow any advice given by their service providers.

The security community has acted quickly to mitigate the threat and hopefully all affected vendors will implement the fixed OpenSSL as quickly as possible.

For accurate and detailed information about Heartbleed, refer to the Heartbleed Bug website created by Codenomicon.

Last updated: April 10, 2014
First published: April 10, 2014
Written by Brett M. Christensen
About Hoax-Slayer

OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)
The Heartbleed Bug
Heartbleed Bug: Public urged to reset all passwords