Internet security researchers say people should not rush to change their passwords after the discovery of a widespread “catastrophic” software flaw that could expose website user details to hackers.
The flaw, dubbed “Heartbleed”, could reveal anything which is currently being processed by a web server – including usernames, passwords and cryptographic keys being used inside the site. Those at risk include Deutsche Bank, Yahoo and its subsidiary sites Flickr and Tumblr, photo-sharing site Imgur, and the FBI.
About half a million sites worldwide are reckoned to be insecure. “Catastrophic is the right word,” commented Bruce Schneier, an independent security expert. “On the scale of 1 to 10, this is an 11.”
But suggestions by Yahoo and the BBC that people should change their passwords at once – the typical reaction to a security breach – could make the problem worse if the web server hasn’t been updated to fix the flaw, says Mark Schloesser, a security researcher with Rapid7, based in Amsterdam, Netherlands.
Doing so “could even increase the chance of somebody getting the new password through the vulnerability,” Schloesser said, because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker.
The bug exists in a piece of open source software called OpenSSL, which is meant to encrypt communications between a user’s computer and a web server. But security researchers have no way to prove whether or not the flaw, which has existed since at least March 2012, has been exploited.
The bug’s age, and its presence in software to which anyone can submit an update, has led to speculation that it could have been inserted and then exploited by government spy agencies such as the US’s National Security Agency, which is known to have programs aiming to collect user data. “My guess is accident, but I have no proof,” Schneier commented.
Tumblr, which is affected, issued a warning to its users on Tuesday night. Although the firm said it had “no evidence of any breach”, and has now fixed the issue on its servers, it recommends users take action.