A new serious vulnerability in open source software called OpenSSL that’s extensively used for encrypting web communications has been spotted. Called Heartbleed, the flaw allows attackers to gain access to users’ passwords and befool users by using fake versions of websites.
Heartbleed is capable of gaining access to server’s memory, where most of the critical data is saved. This includes data such as usernames, passwords and credit card numbers. Hackers can also use the exploit to get copies of server’s digital keys and use it to mimic servers or to decrypt web communications.
Unlike the previous flaws found, this one is considered to be more serious and lethal. Heartbleed may affect several mainstream and social networking websites.
"We were able to scrape a Yahoo username & password via the Heartbleed bug," tweeted Ronald Prins of security firm Fox-IT, showing a censored example. Added developer Scott Galloway, "Ok, ran my heartbleed script for 5 minutes, now have a list of 200 usernames and passwords for yahoo mail...TRIVIAL!"
Yahoo claimed it has fixed the primary vulnerability on its main sites: "As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr, and Tumblr) and we are working to implement the fix across the rest of our sites right now. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."
A tool has been published that helps track sites for Heartbleed vulnerability. The tool reveals websites Google, Microsoft, Twitter, Facebook, Dropbox, and others unaffected.