It turns out that "HTTPS" isn't the ultimate security feature everybody thought it was. A bug aptly given the name "Heartbleed" has exposed to hackers passwords for over two years from supposedly secure sites protected by HTTPS, as in https://www.yahoo.com/.
The bug has given cyber-criminals the chance to steal private user information such as credit card numbers, usernames and passwords, said security analysts. Heartbleed was discovered last week and disclosed only this Monday. It has caused several websites to advise users to change their passwords.
"The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," said Tumblr in a warning to its users.
"This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
Yahoo, the owner of Tumblr, confirms that its users' passwords have been compromised.
Heartbleed resides in the OpenSSL technology that runs encryption for two-thirds of the Internet. The researchers who discovered it said that most Internet users "are likely to be affected either directly or indirectly. OpenSSL is used by around 66 percent of the web to encrypt data.
Experts are now scrambling to assess the extent of the security breach. According to several security experts, it is one of the most serious security flaws uncovered in many years. Heartbleed was discovered simultaneously by a Google security researcher and a small security firm named Codenomicon.
Tens of millions of servers were exposed to Heartbleed. An emergency patch has been released and several sites like Yahoo said they have successfully updated its servers.
Yahoo was identified as the largest organization whose sites were exposed to Heartbleed. On the other hand, Apple, Google, Microsoft, and major e-banking services do not appear to be affected.
"Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now," Yahoo said.
On Monday afternoon, the open-source OpenSSL project released an emergency security advisory warning of Heartbleed, which steals the private keys to a server using vulnerable software, allowing operators to collect data traffic and even impersonate the server.
"Heartbleed is so serious--it's such a big, bad event--that almost every major service is scrambling to clean it up as quickly as possible," said Matthew Prince, CEO of content delivery network Cloudflare.
"When you finish using a website, make sure to actively log out," Prince advised. Doing so will make it less likely that a hacker exploiting Heartbleed will be able to take your personal information.
"It is catastrophically bad, just a hugely damaging bug," said International Computer Science Institute security researcher Nicholas Weaver.