Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more than two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It’s not known, though, whether anyone has actually used it to conduct an attack.
Researchers are advising people to change all of their passwords.
The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to signify that traffic is secure. With the flaw, traffic was subject to snooping even if the padlock had been closed.
The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet.
Researchers say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many Web sites potentially have this security flaw. OpenSSL is also used to secure e-mail, chats and virtual private networks, which are used by employees to connect securely with corporate networks.
A fix came out Monday, but Web sites and service providers must install the update.
Yahoo Inc.’s Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials said they had no evidence of any breach and had implemented the fix.
“But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit,” Tumblr’s blog post read. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services such as e-mail, file storage, and banking, which may have been compromised by this bug.”
The flaw was discovered independently by researchers at Google Inc. and the Finnish security firm Codenomicon.