The “Heartbleed” software flaw that triggered alarm bells around the world could fundamentally undermine two decades’ worth of efforts to persuade consumers they could trust the Web to securely handle such tasks as buying a pair of shoes and applying for a job.
The discovery of a gaping hole in a piece of software that was supposed to protect personal information from hackers left websites rushing to fix the bug while consumers struggled to understand what kind of risks they suddenly faced by venturing online.
That angst intensified, in part, because no one knows for sure just how much damage the Heartbleed bug had caused, or how widely hackers had managed to exploit it. Security researchers fear that it could take years to repair not just the bugs but also the trust of users.
“This is very bad, and the consequences are very scary now that it has been disclosed,” said Phil Lieberman, president of Los Angeles security management firm Lieberman Software. “The fact that this code is on home and commercial Internet-connected devices on a global scale means that the Internet is a different place today.”
Heartbleed is a flaw that was found in OpenSSL, a technology that provides encryption for about two-thirds of all servers on the public Internet. For most people, the technology shows up as a tiny green padlock icon next to the address field in a Web browser. It is supposed to signify that the password or credit card information typed on the website is secure.
But the bug essentially enables any hacker with the most basic of skills to use a simple piece of software to gain access to the IDs and passwords of a site’s users in just a few minutes. Word of the flaw burst into widespread public view Tuesday when Tumblr, which is owned by Yahoo Inc., disclosed that it had been affected and urged users to change their passwords.
In fact, the flaw was discovered several weeks ago by Neel Mehta, a security researcher at Google Inc., and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.
According to a person familiar with the details, Google immediately patched its own site and began notifying partners and the open-source community about the problem. In the meantime, two Google developers, Adam Langley and Bodo Moeller, helped develop a fix that was released Monday.
It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running. The security hole may have existed for at least two years, security experts said.
In addition to updating OpenSSL, websites will need to revise many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.
On Wednesday, consumers started to receive a trickle of notices from services they use online warning them about the potential issue and recommending steps, such as changing their passwords.
SoundCloud, an online music sharing site, said it logged everyone off its service and asked users to sign back in and change their pass codes. Firebase, a mobile app development service, sent an email to users alerting them that the company had patched the software hole and updated its security protocols.
“We do not have any evidence that passwords or any other private information has been compromised,” Firebase said. “However, given that this exploit existed in the wild for such a long time, it is possible that an attacker could have stolen passwords without our knowledge. As a result, we recommend that all Firebase users change the passwords on their accounts.”
Michael Dominguez, of Austin, Texas, began reading about Heartbleed on Tuesday and found himself growing increasingly nervous. He called customer service for his bank, Chase, to see if it knew whether its website was vulnerable, but a representative hadn’t heard about Heartbleed. Dominguez said he also called his insurance company, USAA, and its customer service representative told him that its site was not vulnerable.
For now, Dominguez said he’s limiting his activities online and will continue watching for notifications from Web services he uses.
“Maybe this is a wake-up call,” he said. “Maybe we’ve all been lulled into this false sense of security. We rely on these websites to ensure they’ve taken all the precautions. So much of our lives are digital these days, and we take this stuff for granted.”
The bug is also raising questions about the wisdom of relying on an “open source” software that is developed and maintained by a community of developers, rather than by a single company.
“Having common technology is typically viewed as a good thing. But it can also lead to assumptions,” said Jonathan Sander, vice president of research and technology for Stealthbits Technologies. “People assume the parts they use are safe if everyone uses them. If deep testing isn’t being done by the good guys to make sure those parts stay safe over time, then you can be sure the bad guys will find the faults first.”