'Heartbleed' Bug Exposes Millions of Websites to Security Risks

Millions of websites may have been leaking critically sensitive data for the past two years, thanks to a devastating flaw in the OpenSSL software many sites use to encrypt and transmit data. The Heartbleed bug, as it's called by the researchers who discovered it, would let anyone on the Internet get into a supposedly secure Web server running certain versions of OpenSSL and scoop up the site's encryption keys, user passwords and site content.

Once an attacker has a website's encryption keys, anything is fair game: Instead of slipping through a proverbial crack in the wall, he can now walk in and out the front door.

There have been no documented instances of attacks exploiting the Heartbleed bug. But because an attack using the bug would leave no trace, and the potential damage from an attack would be so significant, all websites that ever used the affected versions of OpenSSL should be considered compromised.

There have been no documented instances of website attacks exploiting the Heartbleed bug.

Websites that are currently vulnerable to Heartbleed exploits include Yahoo, Comixology, Flickr, Imgur and OculusVR. Many other top sites — including Facebook, Google, Wikipedia, Amazon, Twitter, Apple and Microsoft — are not currently vulnerable, though some may have been in the past.

Most secure websites encrypt traffic to and from their servers using a protocol called SSL/TLS. There are several different encryption "libraries" that can be used in this protocol, and one of the most widely used is an open-source library called OpenSSL.

The Heartbleed bug is in versions of OpenSSL issued from December 2011 onward, not in SSL/TLS itself. Not every instance of SSL or TLS encryption across the Internet is compromised. But OpenSSL is the default encryption library in Apache and Nginx server software, which power two-thirds of all websites.

An attack exploiting the Heartbleed bug would leave no trace in an attacked Web server's logs. It's impossible to tell how many sites, if any, may have been exploited, and how many may have been vulnerable over the past two years.

Neel Mehta of Google Security and a team of engineers at Oulu, Finland-based security company Codenomicon first discovered the Heartbleed bug, though they haven't specified when. They've created a FAQ page at heartbleed.com with full details.

- NBC