What is the ‘Heartbleed’ bug, how it works and why it’s a huge security risk

By Alexandra Burlacu | Apr 11, 2014 07:46 AM EDT

Share This Story

  • Print
  • Email


A dangerous software bug called "Heartbleed" is raising great concerns, as it can expose users' personal info including bank details, social security numbers, and passwords.  

Follow us

This bug threatens to compromise online communication security, posing a big risk to tech companies and users alike.

What is 'Heartbleed'?

The so-called "Heartbleed" bug made its way by mistake to openSSL, which is a vital piece of software that secures thousands of online sites worldwide. More specifically, the server software called Apache, used by as much as two-thirds of the world's websites, has this openSSL software built-in. The software enables an encrypted data channel between a machine and the remote server, making the data decipherable only to authorized computers that have the necessary keys for decrypting the information.

OpenSSL is designed to make it secure to move financial information over the Internet and it has become an essential part of online commerce. During a software upgrade back in 2012, however, a piece of bad code was accidentally added to the software, inadvertently allowing unauthorized machines to read unencrypted information from the memory of the remote server. This can compromise virtually any type of information, including the encryption keys necessary for decoding the data stream, e-mails, phone numbers, financial data, and more.

Users' personal information is at stake, but they can't do anything much to protect themselves at this point. Exploitable websites need to upgrade their software and patch this vulnerability, but the "Heartbleed" bug is expanding in the meantime. The risks go beyond Internet web servers, as hackers could use the bug to crack security firewalls, email systems, and potentially even mobile phones. Developers released various patches to fix affected web servers, especially for bigwig companies such as Amazon, Yahoo, and Google, but pieces of vulnerable openSSL code are still present in ordinary PCs, email systems, phones, firewalls, and other places.

Julia Horwitz from the Electronic Privacy Information Center explained to Reuters how the whole process works. When computers are protected by an encrypted connection, as in the case of transferring information to one's bank or secure email, some layers of code aim to ensure the data is safe and not vulnerable to hacking. "Heartbleed" breaks that code and makes the protective layers penetrable, allowing hackers to collect sensitive information.

"The encryption software that has the bug is the most popular form of web encryption on the internet. So something like more than two-thirds of the internet that is encrypted is encrypted using openSSL TLS which is what encryption software is," Horwitz told Reuters.

"It doesn't leave a trace, so it's hard to track and see when it's been used, and where it's been," Horwitz added. "So, as far as we can tell it's been in operation for about two years maybe a little more than two years which means that potentially any of the services that use openSSL in order to encrypt have been exposed to this bug and therefore the users of those services."

Protection against 'Heartbleed'

Heavyweight companies such as Facebook, Yahoo, and Google have told Reuters that they have taken the necessary steps to reduce the negative impact on users. Google said that its users don't have to change their passwords. Amazon, meanwhile, said that Amazon.com has not been affected, however some of its cloud services that support apps such as Pinterest and Netflix have been vulnerable.

Companies, as well as government agencies, are currently working to determine which products are vulnerable to this bug in order to set priorities for fixing them based on the risk they pose. Researchers have already noticed sophisticated hacking groups scanning the Internet this week in a bid to find vulnerable servers. The issue is of major concern and poses huge threats to online security, as it involves compromising a great amount of data of the most sensitive kind.

Because Heartbleed doesn't leave any trace, it's impossible to be sure whether your passwords and personal data have been mined and leaked out. Researchers believe the only one thing to do at this point is to change each and every password you use online, or at least every password that allows you to log onto shopping, financial, or social networking sites where you share sensitive info. The sites still have to upgrade their own software with the necessary patches, so researchers advise waiting a couple of days to change the passwords.



Get the Most Popular Mobile&Apps Stories in a Weekly Newsletter

Heartbleed bug, openSSL, Internet security

Join Our Conversation

The HTC logo is seen with different devices from the brand HTC M10 Perfume Launching A Month Later After MWC 2016
Lava Unleashes New P7 Device Into The Indian Market
New Disney Phone Coming To Japan
Xiaomi Locks Redmi Note 3, Mi 4c And Mi Note Pro; Others To Follow Suit?
Tablet / Laptop / PC
Dell Venue 7 and Venue 8 Dell unveils Venue 7 and Venue 8 Android 4.3 Jelly Bean tablets
Retina iPad Mini facing delays, may not launch until early next year
Refurbished 128GB iPad with Retina Display now available on the Apple Online Store
Samsung Galaxy Note 10.1 – 2014 Edition: Pricing and availability now official
Amazon Logo Amazon reportedly to launch ‘Firetube’ set-top box before 2013 holidays
Samsung Galaxy Note 3 and Galaxy Gear India launch: Pricing and availability
Samsung Galaxy Gear Android smartwatch now up for pre-order in Canada
Samsung Galaxy Gear 2 reportedly in the works already, may debut at CES or MWC 2014
OS / Software
HTC Logo HTC reportedly considering Android/Windows Phone dual-booting smartphone as Microsoft pushes for deeper Windows mobile integration
iOS 7 Chrome Incognito mode leaks private searches due to bug
Sprint HTC One Android 4.3 Jelly Bean already rolling out, AT&T, T-Mobile & Verizon to follow
Microsoft Windows 8.1 now available for pre-order
Internet / Social Media
Google Downtime Google blacks out for two minutes, causes 40 percent drop in world’s Internet traffic
Xbox Music web player is live and ready for Xbox Music Pass subscribers
Facebook Android app collected phone numbers even if users never logged in
Firefox 22 brings support for web video calls, 3D gaming, and Unreal Engine 3
What's App
ZTE's new lease program ZTE’s new Lease-to-own Program for Mobile Devices
LG’s G Pay to Take on Google, Samsung and Apple
Facebook: Taxes in the UK and a new Shopping tab
Samsung’s VR Headset to be Released at $99, Hulu Jumps Onboard with Apps Ready

Most Popular

© 2016 IBT Media Inc. All Rights Reserved.mobilenapps