‘Heartbleed’ bug exposes major flaw in encrypted websites

9 Apr 2014

A team of researchers have found a massive flaw in OpenSSL, an online encryption program used by thousands of popular websites across the world, that can be manipulated to send the contents of a user’s RAM.

Known as the Heartbleed bug because it sends the malicious code through an action known as a heartbeat which sees whether a receiving computer is still online, the flaw, if not fixed, has the potential to let individuals and organisations have access to all a user’s information, much of which is stored in a computer’s memory, ie, RAM.

Regular web users will be familiar with OpenSSL encryption when they visit websites and online services, such as Gmail and PayPal, and see a small lock icon in the URL bar. This lock is then supposed to signal that third parties won’t be able to read any information sent or received, thereby transforming a user’s data into a coded message that only the recipient knows how to decipher.

The major worry however, is that all of these websites are vulnerable to attack unless they install the latest version of OpenSSL, which the OpenSSL developers launched at the same time as the public announcement of the Heartbleed bug.

Unless websites update this software, visitors to websites using the old OpenSSL encryption are vulnerable to attack.

According to Vox, a number of the web’s biggest companies were made aware of the problem, such as Google and Yahoo!, and have since addressed and updated the program. However, at the time of writing, a Microsoft spokesperson said they were still looking into the issue. “We are following reports of an OpenSSL library issue. If we determine there is an impact to our devices and services, we’ll take necessary steps to protect our customers.”

The Heartbleed oversight comes after internet security company Symantec issued a report identifying 2013 as the year of the ‘mega security breach’, as malicious programs become more frequent as the internet continues to grow.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com