Millions of websites have been operating with a major security flaw in place for more than two years, exposing users' personal information and putting them at risk.
Google Security and Finnish security company, Codenomicon discovered the bug – dubbed "heartbleed" - and revealed this week that it had gone undetected for more than two years.
What is heartbleed?
The heartbleed bug affects OpenSSL, a cryptographic library which scrambles sensitive information as it moves to and from computer servers.
This software is used to protect passwords, credit card numbers and other private data online.
OpenSSL is used by the majority of internet servers and can be identified by a padlock icon which appears on users' screens.
The heartbleed creates an opening in the OpenSSL which allows hackers to access private information even if the padlock icon is closed.
It is important to note, however, that not all sites and services use OpenSSL.
Hackers can also access "keys" to encrypted data without the host website's knowledge, according to heartbleed.com
"These are the crown jewels, the encryption keys themselves," the website states.
"Leaked secret keys allows the attacker to decrypt any past and future traffic to the protected services and to impersonate the service at will."
What can I do to protect myself now?
Chris Gatford, the director of Australian internet security consultancy firm HackLabs, told SBS there wasn't much people could do, because it was up to the affected web servers to change their systems.
A fixed version of OpenSSL has been released, but it is the responsibility of individual websites to implement it.
"There's not a lot your average home user can do at this stage. Other than hope the site they are logging into, if affected, has applied the appropriate patches," he said.
Yahoo Inc assured its users early this week that some of its most popular services including Tumblr had been fixed but advised users to change their passwords.
"This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," the company said in a statement on its website.
Is it worth changing my passwords?
Mr Gatford said it was most important that websites put the fixed version of OpenSSL in place.
"The fixing of this is the responsibility of the person who owns the site," he said. "So anywhere where you are logging into a site, if it happens to be an affected server, there is the possibility that an attacker could certainly learn of your user name and password values or gain access to your account via other mechanisms, because the sire operator has not patched their system."
But he did advise users to change their passwords every couple of days on sites they were concerned about.
"You should already be using a password manager and making sure you've got complex passwords for every site that you use," he added.
What sites have been affected?
According to Mashable, it is unclear whether Facebook had been affected but there is a fix in place. The website stated that Facebook has advised users to change their passwords.
Google was affected by the bug and issued the following statement:
"We have assessed the SSL vulnerability and applied patches to key Google services."
What damage has already been done?
Whether information has already been stolen is not yet known, but security experts around the world have expressed concern that the bug went undetected for more than two years.
Dr Priyadarsi Nanda, senior lecturer at the School of Computing and Communications at UTS, told SBS that users would have to be patient.
"Time will tell how much of your information will be compromised," he said.
Mr Gatford said the heartbleed had highlighted the internet's inherent vulnerabilities.
"There are flaws in everything we use - it's only a matter of time before they come out."
Share
