The new bug allows attackers to gain sensitive information protected by the SSL/TLS encryption.
A new exploit in the open SSL, the core cryptographic library, has been reported by security researchers. The exploit could easily allow the attackers to gain access to information such as credit card numbers, usernames, passwords, and other sensitive data.
The Google security researcher, Neel Mehta, and another security research firm Codenomicon, discovered the flaw and reported that attackers can abuse this flaw without leaving a trace.
The bug, called Heartbleed, is a serious vulnerability in the openSSL cryptographic software library, which allows stealing of the protected information.
SSL is the encryption standard used by majority of the websites for secure data transmission through an email or IM chat. Occasionally, a computer checks for a secure connection at the other end through a small packet of data called hearbeat.
Following is the tweet sent by a security researcher:
Do not login to Yahoo! The OpenSSL bug #heartbleed allows extraction of usernames and plain passwords! pic.twitter.com/OuF3FM10GP
— Mark Loman @🏡 (@markloman) April 8, 2014
The researchers discovered that a programming error in the implementation of OpenSSL allows a well-disguised packet of data similar to hearbeats to trick the computer at the other end to send data stored in its memory.
This flaw, thus leads to leak in memory content from the server to the client and from the client to the server.
- The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software,” said the heartbleed website.
The leaked materials include primary key materials such as encryption keys; secondary key materials like user names and passwords; protected content such as personal or financial details, private communication, instant messages, documents or anything worth protecting by encryption; and collateral such as memory addresses and canaries used for protection against overflow attacks.
The bug was introduced in openSSL in December 2011 and has been in open since the release of openSSL 1.0.1 on 14 March, 2012.
- As long as the vulnerable version of OpenSSL is in use it can be abused,” says the website.
According to the website, openSSL1.0.1g released on 7 April 2014 fixes the bug.
- Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use.”
The researchers who discovered the vulnerability have acted responsibly by informing the developers behind openSSL before making it public, thus allowing them to fix the bug.