Next Score View the next score

    Key flaw in Internet security discovered

    A flaw has been discovered in one of the Internet’s key encryption methods.
    Omar Havana/Getty Images
    A flaw has been discovered in one of the Internet’s key encryption methods.

    NEW YORK — The tiny padlock next to Web addresses that promised to protect our most sensitive information — passwords, stored files, bank details, even Social Security numbers — is broken.

    A flaw has been discovered in one of the Internet’s key encryption methods, potentially forcing a wide swath of websites to swap out the virtual keys that generate private connections between the sites and their customers.

    On Tuesday afternoon, many organizations were heeding the warning. Companies like Lastpass, the password manager, and Tumblr, the social network owned by Yahoo, said they had issued fixes and warned users to immediately swap out their usernames and passwords.


    The vulnerability involves a serious bug in OpenSSL, the technology that powers encryption for two-thirds of Web servers. It was revealed Monday by a team of Finnish security researchers who work for Codenomicon, a security company in Saratoga, Calif., and two security engineers at Google.

    Get Talking Points in your inbox:
    An afternoon recap of the day’s most important business news, delivered weekdays.
    Thank you for signing up! Sign up for more newsletters here

    Researchers are calling the bug “Heartbleed” because it affects the “heartbeat” portion of the OpenSSL protocol, which pings messages back and forth. It can and has been exploited by attackers.

    The bug allows attackers to access the memory on any Web server running OpenSSL and take all sorts of information.

    What makes the Heartbleed bug particularly severe is that it can be used by an attacker without leaving any digital crumbs behind.

    “It’s a serious bug in that it doesn’t leave any trace,” said David Chartier, the chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they’ve been there.”


    On Monday, the open-source team that oversees OpenSSL issued a warning to people and organizations about the bug, and encouraged anyone using the OpenSSL library to upgrade to the latest version, which fixes the problem.

    Security researchers say it is impossible to know whether an attacker used the bug to steal a victim’s information, but found evidence that attackers were aware of the bug and had been exploiting it.

    Researchers monitoring various “honey pots” — stashes of fake data on the Web aimed at luring hackers so researchers can learn more about their tools and techniques — found evidence that attackers had used the Heartbleed bug to access the fake data.

    But actual victims are out of luck. “Unless an attacker blackmails you, or publishes your information online, or steals a trade secret and uses it, you won’t know if you’ve been compromised,” Chartier said.