A serious flaw in the implementation of OpenSSL, a fundamental security measure used by millions of websites, could expose sensitive information to attackers, including private messages, login credentials and credit card details. The vulnerability, officially tagged CVE-2014-0160 but also known as "Heartbleed", potentially allows attackers to retrieve entire OpenSSL decryption keys from an affected server, allowing them to decrypt secure communications without leaving any sign of brute-force intrusion.
In addition to stealing names, passwords, and message contents, attackers could also disguise themselves as legitimate users, thus eavesdropping and stealing all data flowing in and out of a vulnerable service.
The flaw is not in the encryption method itself, but rather in the way the OpenSSL implementation manages memory. If an attacker sends a deliberately malformed request to the server, it automatically responds with up to 64kB of data that might contain sensitive information.
The
problem was known internally and a fix was being prepared, but security firm CloudFlare
published information about it before the fix was ready for general release, in an attempt to promote a fix for their own OpenSSL implementation. Web administrators who rely on OpenSSL might not have time to apply the fix before attackers decide to put the flaw into practice.
OpenSSL versions 1.01 and 1.02 beta are affected. Administrators running 1.01f or earlier are advised to upgrade to 1.01g. A 1.02 beta 2 release will fix the vulnerability in the beta channel, when it is released.
Security firm Codeomnicon estimates that at least 66 percent of active sites on the Internet could be affected, in addition to a massive number of email, instant message, virtual private network and various other services.
There is no known evidence of a successful attack on any person or organisation due to the Heartbleed vulnerability.