April 19, 2014

The Heartbleed bug has taken the world of web users by storm. A major vulnerability in the open SSL cryptographic software library, Heartbleed threatens to compromise the security of passwords on millions of servers running across the globe. The bug infringes on secret information and data by encroaching upon and reading the memory of systems that are protected by the vulnerable versions of the open cryptographic software library. As a result, attackers gain illegitimate access to user communication and secret data, thus creating a major security loophole.

The Heartbleed bug was discovered independently by two parties – Google, and a cyber security firm “Codenomicon”. A hacker can use Heartbleed bug to get important data like passwords, session cookies, server private keys, user login information etc  from portals

Open SSL or open secure sockets layer is one of the most basic means for encrypting important information over the internet. It helps to protect users from any potential eavesdropping over communications or compromise of sensitive and confidential data. The vulnerability in the open SSL software allows hackers to access 64KB of server memory at one time.

How Heartbleed Bug Allows information to be hacked:

While exploiting Heartbleed bug, the hacker sends in a request with small payload and large length field to the server, which returns upto 64 kilobytes of server memory. For example, a hacker may send in a request to server to “send back 500-letter word cat”. This would cause server to return “cat” followed by 497 characters of whatever was stored in the server’s active memory. This way hacker can get sensitive data from servers.

The problem confronting many companies today is that not all of them have implemented measures that counter Heartbleed vulnerability. Barring tech giants like Google and Facebook, and a few others, many companies have not yet incorporated appropriate technological measures into their systems. This leaves them all the more vulnerable to damage through Heartbleed.

With major portals quickly shifting on to better systems, many android based mobiles, tablets are still vulnerable to Heartbleed bug security vulnerability.

As a precautionary measure, you could get in touch with your bank and other portals where you store important information to know if their website is still secure and what measures you should take. You could also go in for changing passwords so as to possibly avert the threat posed by Heartbleed.