Usernames, passwords, data exposed in massive OpenSSL Heartbleed bug

Security researchers have found a massive vulnerability in the popular OpenSSL cryptographic library, one that apparently makes it trivial for attackers to steal information normally protected by encryption common used to protect web, email and other internet communications.

Dubbed 'Heartbleed', the bug was independently discovered by a team of engineers (Riku, Antti and Matti) from robustness testing tool company Codenomicon and Neel Mehta of Google Security.

Codenomicon has set up a website listing details of the bug at heartbleed.com.

The company said the bug allows attackers to steal "the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet".

SSL/TLS is commonly used to protect communications over the web, email, VPNs and a variety of other internet applications.

"The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users," Codenomicon said.

Exploitation of the bug "leaves no traces of anything abnormal happening" in logs, and Codenomicon doesn't know if it has been abused in the wild.

"As long as the vulnerable version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use."

According to Codenomicon, the bug exposes encryption keys, allowing attackers to "decrypt any past and future traffic to the protected services and to impersonate the service at will. Any protection given by the encryption and the signatures in the X.509 certificates can be bypassed."

The bug also exposes secondary key material (usernames and passwords), the content of encrypted communications (like emails and financial information) and technical details such as memory addresses.

Codenomicon lists the vulnerable versions of OpenSSL on the heartbleed.com website and said the bug "was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. The vulnerable versions have been out there for over two years now and they have been rapidly adopted by modern operating systems.

"Vendors should be notifying their users and service providers. Internet service providers should be notifying their end users where and when potential action is required."

Reuters reported that there is little internet users can do to protect themselves until vulnerable websites implement fixes.

According to the news service, Kaspersky Lab researcher Kurt Baumgartner said that increasing numbers of hacking groups have been conducting automated scans of the internet searching for vulnerable web servers.

"The problem is insidious," Baumgartner is quoted as saying. "Now it is amateur hour. Everybody is doing it."