Massive Security Flaw ‘Heartbleed’ Exposes Yahoo Mail And Internet HTTPS Encryption

Terrible news, everyone: There’s a coding error in the OpenSSL cryptographic software library that allows anyone with the right tools and a little know-how to access secret encryption keys, usernames, passwords, and even content on sites using OpenSSL for protection. That includes roughly two-thirds of the Internet’s web servers, according to Ars Technica.

The problem with the so-called Heartbleed bug is that there’s a missing bounds check. “By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space,” wrote cryptographer Matthew Green in a blog post. “Since this is the same memory space where OpenSSL also stores the server's private key material, an attacker can potentially obtain (a) long-term server private keys, (b) TLS session keys, (c) confidential data like passwords, (d) session ticket keys.”

Mark Loman Yahoo Heartbleed bug
Credit: Mark Loman

What’s frustratingly pernicious about this particular exploit is that even though a fix is relatively easy--you just need the server updated to OpenSSL 1.0.1g--but if your server has been accessed via the bug, you need to get a whole new certificate, regardless whether you’ve patched it. But there’s no way of knowing whether or not a server has been accessed in this way, so the nuclear option as it were is the only way to be completely safe.

For an example of how dangerous this all is, consider the case of Yahoo. Malware analyst Mark Loman ran a test that determined Yahoo was vulnerable to the exploit. Yahoo is the largest email provider in the world, and every single Yahoo user was potentially affected.

Yahoo since tweeted that “Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now” but otherwise has not provided any guidance on what users should do to be safe.
Via:  Ars Technica
Jaybk26 8 months ago

Wait, Yahoo is the largest eMail provider in the world?

DustinMaxfield 8 months ago

This is scary. openSSL is used on a large percentage of servers on the internet.

realneil 8 months ago

Yahoo Mail has been exposed forever, too many times to list.

openSSL has about 60% of the internet under it's belt, but not all versions are susceptible.

acarzt 8 months ago

There is pretty a mad scramble every where to get this patched.... it affects just about every Cisco product... Today is gonna be a loooong day....

marek_max 8 months ago

Some people are so STUPID!!! Do not PANIC! Show me... SHOW me ONE video where you get MY password from Yahoo... SHOW ME live. Oh, on yt there is NO single video SHOWING it live...


A great way to make good money here, articles, website, pseudo-tools...

StaticFX 8 months ago

the medial keeps claiming this 60% but about 58% of that are small sites... only a few large popular sites have this (or had this) issue.

Oh, and dont go changing your password until that site is fixed! lol


thats a list of the top 1000 sites and if they are vulnerable (as of 4/8) 

acarzt 8 months ago


If you're so sure this is all just a hoax and there is no real danger... then by all means, don't change your password. :-)

The thing is... this bug is like scratch offs for Hackers.. They can't know what they are going to get. The bug returns 64kb of random unencrypted data which may or may not contain anything useful. Most of the time they will get garbage... but every now and then they will get usernames and passwords. And if they hit the big jackpot, they'll get private keys, which will allow them to decrypt all your data.

This bug really is a big deal. I'm a network engineer. My team and I at work have to upgrade the code on every single CIsco router and switch in our environment, we have to generate new keys, and for the public facing stuff we need to get new keys issued to us (not always the easiest of processes and usually costs money) The SSL VPN client for Apple iOS devices was supposedly vulnerable so now all of those need to be updated and passwords changed.

Basically, anything that is based on Linux and was up to date... is going to need to go through the same process... update to a safe software version, certificates changes, and credentials changed.

There is no way to know what has been compromised, so we have to address EVERYTHING.

For all anyone knows, no one has even exploited the bug... but we still have to addresses it.

WendellBeverly1 8 months ago

Fabulous. Changing my PW on everything is going to be ugly, but I believe I'll be changing all passwords across the board, after the fix of course.

illus1ons 8 months ago

That doesn`t mean I HAVE TO change all my gmail, yahoo, facebook password, right? As long as i still have them...and they`re working...:Big Smile

Mordymion 8 months ago

Not only are very few major sites affected, scares happen all the time without any real problems occurring. It'll probably blow over just like the rest.

illus1ons 8 months ago

Good to know

Post a Comment
or Register to comment