- Oct 23, 2012
- 12,527
The critical OpenSSL vulnerability, known as the Heartbleed bug, is said to have impacted two thirds of the websites that use SSL to secure their customers’ communications. While many organizations have patched their installations by now, a lot of users’ data has been at risk because of the flaw.
The Heartlbleed bug was discovered by a Google security expert sometime in March. Its existence was made public on April 7. Some companies, such as CloudFlare, Facebook and some Linux distributions, learned of its existence before that, and they quickly rolled out fixes.
On April 7, OpenSSL released version 1.0.1g allowing all companies to secure their websites. However, it took some of them a lot of time to apply the fix.
Considering that Heartbleed made a lot of headlines all over the world, you’d expect every company to install the latest version of OpenSSL quickly, if not to protect users, at least to brag about it in an effort to boost their reputation.
Shortly after the world learned of the vulnerability, experts started publishing lists of the affected services. Exploits were also published online soon after. While initially some doubted that private SSL keys could be obtained by exploiting Heartbleed, researchers quickly demonstrated that it was possible.
Unsurprisingly, some organizations have started admitting to their customers that their information might have been stolen by cybercriminals exploiting the Heartbleed bug.
There are rumors that some entities might have known about the existence of Heartbleed for a long time, including the National Security Agency (NSA), which is said to have known about it for two years. The NSA has denied the accusations, but there could be some who really knew about the OpenSSL flaw for a long time.
Even if no one knew about it, it was clear that as soon as its existence came to light, cybercriminals would start exploiting it to take advantage of the relatively small window of opportunity they had before website owners started updating their OpenSSL installations.
However, while there were a few companies that acted quickly, there were some that took their time, giving potential attackers the opportunity to strike.
Of course, it’s true that in some cases, it’s a bit trickier to mitigate Heartbleed attacks. There are some reports about companies that experienced some serious issues updating OpenSSL.
On the other hand, if Yahoo managed to fix the issue within around 48 hours (which, by the way, was considered by many a slow response), others should have been able to update sooner, not in 5 days or more, as many have.
This just goes to show that “We take security very seriously” is just a sentence that companies include in their notifications to customers after they get hacked, not something they actually mean.
The fact that it has taken some organizations a lot of time to fix the Heartbleed vulnerability has also caused some confusion. The first piece of advice that everyone gave was “change your password!” However, as experts have highlighted, this recommendation is only good if the website you’re changing your password for has updated OpenSSL.
