"On the scale of 1 to 10, this is an 11," wrote security expert Bruce Schneier in a blog post this week. He was referring to Heartbleed, the devastating two-year-old bug that was only revealed Monday. It is quickly snowballing into the single biggest security vulnerability in Internet history. Here's what you need to know about it, what it's doing to companies, and what you can do to protect your data.
What is Heartbleed?
It's a bug in OpenSSL encryption, a software library that Google, Facebook, Yahoo, Amazon, and a very big chunk of the world's biggest websites use to secure the transmission of private information. The average user is probably unfamiliar with OpenSSL, but it is represented in your URL bar by the little lock symbol, next to HTTPS. Essentially, the exploit gifts hackers and cybercriminals a skeleton key to a hidden world of private data. They can waltz in, reach into a grab bag of secure information (emails, IMs, passwords, etc.), and walk away without a trace.
How widespread is it?
According to Schneier, about half a million websites have been made vulnerable to attack. Although the exact extent of the damage is unclear, security experts say this is exactly the kind of easy vulnerability hackers have a field day with. "It affects two-thirds of the Internet's infrastructure," Wayne Jackson, security expert and CEO of Sonatype tells Fast Company. "I don't think this is all that different from bugs that we see that get reported. It's just that this one is foundational."
How is the private data gathered?
Heartbleed allows hackers to reach into the exchange of private computer memory handled by OpenSSL, allowing them to pull out information en masse. What gets pulled out is randomized: Sometimes you'll get something benign, like a timestamp. Worst case is they'll get something like the encryption key itself. It's like a private-data piñata.
What does it look like?
Here, for example, is a sample that was siphoned up from Yahoo Mail's servers. The password has been redacted, but it gives you a visual idea of how Heartbleed works.
What companies are most at risk?
Google, Yahoo, and Amazon are, in all likelihood, not in great danger by now. Most were made aware of the bug on Tuesday afternoon and claim to have remedied the problem. Security blogger Graham Cluley points out that smaller sites like OKCupid, Imgur, Flickr, and Eventbrite were, potentially, in greater danger. Dropbox, IFFFT, and Netflix say they have installed the necessary patches. Several companies have told me that they have not seen the exploit affect customers directly. Fast Company will update this post as we hear back from more companies.
I run a website. Is there any way I can check if I'm at risk?
Yes, there is. You can use this tool designed by Filippo Valsorda. If vulnerable, you'll have to update your SSL certificate—which now includes a patch—and change your passwords. All of them.
What can I do to protect my private information?
No one is 100% sure. Some security experts think it is best to change your password right away. A growing chorus of others, like security firm Veracode, recommend sitting back and waiting for confirmation from each individual company that they have fixed the situation, and only then changing your password. "If anything, it should raise people's awareness about how fragile Internet infrastructure can be," says Jackson. "We've kind of living off this super high of technology innovations, and every once in a while you have to deal with the consequences."