Massive Security Flaw ‘Heartbleed’ Exposes Yahoo Mail And Internet HTTPS Encryption

This post has 11 Replies | 1 Follower

Top 10 Contributor
Posts 26,747
Points 1,210,175
Joined: Sep 2007
ForumsAdministrator
News Posted: Wed, Apr 9 2014 11:37 AM
Terrible news, everyone: There’s a coding error in the OpenSSL cryptographic software library that allows anyone with the right tools and a little know-how to access secret encryption keys, usernames, passwords, and even content on sites using OpenSSL for protection. That includes roughly two-thirds of the Internet’s web servers, according to Ars Technica.

The problem with the so-called Heartbleed bug is that there’s a missing bounds check. “By abusing this mechanism, an attacker can request that a running TLS server hand over a relatively large slice (up to 64KB) of its private memory space,” wrote cryptographer Matthew Green in a blog post. “Since this is the same memory space where OpenSSL also stores the server's private key material, an attacker can potentially obtain (a) long-term server private keys, (b) TLS session keys, (c) confidential data like passwords, (d) session ticket keys.”

Mark Loman Yahoo Heartbleed bug
Credit: Mark Loman

What’s frustratingly pernicious about this particular exploit is that even though a fix is relatively easy--you just need the server updated to OpenSSL 1.0.1g--but if your server has been accessed via the bug, you need to get a whole new certificate, regardless whether you’ve patched it. But there’s no way of knowing whether or not a server has been accessed in this way, so the nuclear option as it were is the only way to be completely safe.

For an example of how dangerous this all is, consider the case of Yahoo. Malware analyst Mark Loman ran a test that determined Yahoo was vulnerable to the exploit. Yahoo is the largest email provider in the world, and every single Yahoo user was potentially affected.

Yahoo since tweeted that “Our team has fixed the #Heartbleed vulnerability across our main properties & is implementing the fix across our entire platform now” but otherwise has not provided any guidance on what users should do to be safe.
  • | Post Points: 110
Top 500 Contributor
Posts 257
Points 3,190
Joined: Aug 2012
Jaybk26 replied on Wed, Apr 9 2014 1:17 PM

Wait, Yahoo is the largest eMail provider in the world?

  • | Post Points: 5
Top 500 Contributor
Posts 119
Points 1,295
Joined: Jul 2013
Location: Utah

This is scary. openSSL is used on a large percentage of servers on the internet.

  • | Post Points: 5
Top 10 Contributor
Posts 8,771
Points 105,115
Joined: Apr 2009
Location: Shenandoah Valley, Virginia
MembershipAdministrator
Moderator

Yahoo Mail has been exposed forever, too many times to list.

openSSL has about 60% of the internet under it's belt, but not all versions are susceptible.

Dogs are great judges of character, and if your dog doesn't like somebody being around, you shouldn't trust them.

  • | Post Points: 5
Top 50 Contributor
Posts 3,112
Points 38,335
Joined: Aug 2003
Location: Texas
acarzt replied on Thu, Apr 10 2014 10:49 AM

There is pretty a mad scramble every where to get this patched.... it affects just about every Cisco product... Today is gonna be a loooong day....

  • | Post Points: 5
Not Ranked
Posts 1
Points 35
Joined: Apr 2014
marek_max replied on Fri, Apr 11 2014 7:59 AM

Some people are so STUPID!!! Do not PANIC! Show me... SHOW me ONE video where you get MY password from Yahoo... SHOW ME live. Oh, on yt there is NO single video SHOWING it live...

 

A great way to make good money here, articles, website, pseudo-tools...

  • | Post Points: 35
Top 200 Contributor
Posts 403
Points 4,390
Joined: Mar 2014
Location: Rochester, NY
StaticFX replied on Fri, Apr 11 2014 8:25 AM

the medial keeps claiming this 60% but about 58% of that are small sites... only a few large popular sites have this (or had this) issue.

Oh, and dont go changing your password until that site is fixed! lol

https://github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

 

thats a list of the top 1000 sites and if they are vulnerable (as of 4/8) 

  • | Post Points: 5
Not Ranked
Posts 61
Points 440
Joined: May 2013
Location: SoCal

Fabulous. Changing my PW on everything is going to be ugly, but I believe I'll be changing all passwords across the board, after the fix of course.

  • | Post Points: 20
Not Ranked
Posts 28
Points 230
Joined: Dec 2010

That doesn`t mean I HAVE TO change all my gmail, yahoo, facebook password, right? As long as i still have them...and they`re working...:Big Smile

  • | Post Points: 5
Not Ranked
Posts 69
Points 720
Joined: Mar 2014
Location: Fort Collins, CO
Connor replied on Fri, Apr 11 2014 9:31 PM

Not only are very few major sites affected, scares happen all the time without any real problems occurring. It'll probably blow over just like the rest.

  • | Post Points: 20
Not Ranked
Posts 28
Points 230
Joined: Dec 2010

Good to know

  • | Post Points: 5
Top 50 Contributor
Posts 3,112
Points 38,335
Joined: Aug 2003
Location: Texas
acarzt replied on Sat, Apr 12 2014 10:12 AM

@marek_max

If you're so sure this is all just a hoax and there is no real danger... then by all means, don't change your password. :-)

The thing is... this bug is like scratch offs for Hackers.. They can't know what they are going to get. The bug returns 64kb of random unencrypted data which may or may not contain anything useful. Most of the time they will get garbage... but every now and then they will get usernames and passwords. And if they hit the big jackpot, they'll get private keys, which will allow them to decrypt all your data.

This bug really is a big deal. I'm a network engineer. My team and I at work have to upgrade the code on every single CIsco router and switch in our environment, we have to generate new keys, and for the public facing stuff we need to get new keys issued to us (not always the easiest of processes and usually costs money) The SSL VPN client for Apple iOS devices was supposedly vulnerable so now all of those need to be updated and passwords changed.

Basically, anything that is based on Linux and was up to date... is going to need to go through the same process... update to a safe software version, certificates changes, and credentials changed.

There is no way to know what has been compromised, so we have to address EVERYTHING.

For all anyone knows, no one has even exploited the bug... but we still have to addresses it.

  • | Post Points: 5
Page 1 of 1 (12 items) | RSS