A major new vulnerability called Heartbleed could let attackers gain access to users' passwords and fool people into using bogus versions of Web sites. Some already say they've found Yahoo passwords as a result.
The problem, disclosed Monday night, is in open-source software called OpenSSL that's widely used to encrypt Web communications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.
Security vulnerabilities come and go, but this one is extremely serious. Not only does it require significant change at Web sites, it could require anybody who's used them to change passwords too, because they could have been intercepted. That's a big problem as more and more of people's lives move online, with passwords recycled from one site to the next and people not always going through the hassles of changing them.
"We were able to scrape a Yahoo username & password via the Heartbleed bug," tweeted Ronald Prins of security firm Fox-IT, showing a censored example. Added developer Scott Galloway, "Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail...TRIVIAL!"
Yahoo said just after noon PT that it fixed the primary vulnerability on its main sites: "As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."
However, Yahoo didn't offer advice to users about what they should do or what the effect on them is.
Developer and cryptography consultant Filippo Valsorda
published a tool that lets people check Web sites for Heartbleed vulnerability. That tool showed Google, Microsoft, Twitter, Facebook, Dropbox, and several other major Web sites to be unaffected -- but not Yahoo. Valsorda's test uses Heartbleed to detect the words "yellow submarine" in a Web server's memory after an interaction using those words.
Other Web sites shown as vulnerable by Valsorda's tool include Imgur, OKCupid, and Eventbrite.
Jazzy
Valued Member
