The bug that rocked the foundations of the web

April 9, 2014: 10:23 AM ET

It's called Heartbleed, and it leaves much of the Internet at risk of exploitation. Here's how.

By David Nield


FORTUNE -- Late on Monday afternoon, the details of one of the most serious security problems to ever affect the modern web were posted online. Dubbed Heartbleed, the vulnerability has major companies scrambling this week to patch their systems and could have been exploited to harvest data from millions of users. The bug has been in the wild for more than two years, and leaves no trace of suspicious activity. Some estimates suggest that two-thirds of the web has been at risk since 2011.

Heartbleed affects OpenSSL, one of the key technologies used to encrypt data online. It allows attackers to retrieve sensitive information such as usernames, passwords and credit card details from servers running the software. While OpenSSL is not used by the likes of Google, Microsoft and Apple, it's a popular choice for countless companies large and small.

A hacker making use of the Heartbleed vulnerability can "fish" for random chunks of data on a vulnerable server. While these chunks are small, the process can be repeated again and again, and leaves no trace of any breach. The data packets returned to the hacker could include log in details, private information, email messages and even encryption keys. Those keys are particularly important, allowing a hacker to successfully emulate the site in question, leaving no clue that it isn't genuine.

Investigative journalist and security researcher Brian Krebs has posted in depth about the exploit. He tells Fortune: "Attackers can steal the 'keys to the kingdom,' as it were -- the private encryption keys that websites use to encrypt and decrypt all communications with visitors. As broad-scale Internet vulnerabilities go, this one is about as dangerous as it gets. While there are probably fewer than a half million sites that are vulnerable right now, many of the vulnerable sites have millions or even hundreds of millions of users."

MORE: As Windows XP retirement nears, businesses weigh upgrade risks

Krebs points to online lists and tools that can be used to test for Heartbleed. Big-name portals such as Yahoo, Flickr, OKCupid, Zoho, 500px, Imgur and even the F.B.I. were identified as being vulnerable as the news broke. Many sites have now put fixes in place -- as of Wednesday morning, Yahoo says it has rolled out an upgrade for the majority of its sites. E-mail servers and instant messenger communications are also at risk.

For any company that has a presence on the web and uses OpenSSL, this means an urgent round of upgrading and patching -- or an urgent call to the relevant web hosting firm. The latest version of OpenSSL fixes Heartbleed, but a lengthy and involved process of renewing security certificates and resetting encryption keys is also required. Even when the bug has been eradicated, there's no knowing how much data was lost in the interim, and the repercussions could be felt for years to come.

"Many Internet users will probably be asked at least once this week to change their passwords at various sites," Krebs says. "Affected website administrators have to replace the private keys and certificates for their OpenSSL installations after patching the bug. And since this exploit for many sites seems to leaves few traces behind, many organizations will probably want to be on the safe side and will be advising users to change their passwords as well."

MORE: You've already been hacked. Here's why it's okay

As far as end users are concerned, there's not much choice but to sit it out and avoid affected sites until an update has been rolled out. Resetting passwords will help to shore up the breach, but only after the sites in question have been upgraded. The usual common sense approaches -- keeping a close eye on credit card bills and watching for suspicious activity online -- are among the best steps to staying safe.

"People often joke that 'Oh, perhaps we should stay off the Internet' in response to certain threats, but in this case I think that may not be a horrible idea," Krebs says. "If you happen to log in to a site that is vulnerable, there is a more than trivial chance that some attacker will steal your credentials . . . the problem is that it's not readily apparent to the end user which sites are fine and which are still vulnerable."

The bug was first spotted by coders working for Google and Codenomicon, who posted an information page online and christened the vulnerability "Heartbleed" because it takes advantage of a common OpenSSL extension called Heartbeat. "Your popular social site, your company's site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL," warns the announcement.

This week, IT managers across the globe will be working feverishly to get their systems up to date, and praying that no one took advantage of Heartbleed. The most worrying part? They may never know.

  • IT security is heating up. Are universities prepared for it?

    The relatively new business of cybersecurity is booming. As it turns out, so is the business of training the next crop of engineers for it.

    By Melanie D.G. Kaplan

    FORTUNE -- Whether it's news of yet another retailer hacking or Edward Snowden -- via videoconference at the South by Southwest conference in Austin, Texas -- calling for developers and cryptographers to improve privacy tools, we've all been through an ad hoc course in MORE

    Mar 26, 2014 3:37 PM ET
  • You've already been hacked. Here's why it's okay

    Newly appointed AVG chief executive Gary Kovacs on simplicity, Mark Twain, and what to do in a world where you've already been hacked.

    FORTUNE -- One of the first decisions Gary Kovacs had to make after he was appointed CEO of the cybersecurity firm AVG was whether to keep a $100 million toolbar business that most people hated. The former Mozilla CEO bit the bullet and jettisoned the longstanding project -- MORE

    - Mar 11, 2014 1:10 PM ET
  • The one good thing about cyberattacks

    ... is that they cause more investment in cybersecurity.

    FORTUNE -- The normally humdrum world of IT security is heating up, and not just because of comedian Stephen Colbert's controversial closing keynote at last week's RSA Conference.

    Why? As the number of large-scale cyberattacks grows, so does the number of innovative startups developing new solutions to thwart those attacks. Venture capitalists are taking notice: In 2013, they made a total 123 investments in MORE

    - Mar 3, 2014 2:35 PM ET
  • Juniper SVP to Silicon Valley: Get ready for WWIII

    At a newly controversial industry conference, an exec sounds the alarm on looming cyber threats and government surveillance.

    FORTUNE -- Right now, hundreds of the nation's top security executives are at the RSA Conference in San Francisco holding forth on 2014's looming cyber threats and it's, well, awkward.

    After Reuters reported last year that conference-sponsor RSA was working with (and being paid by) the National Security Agency, more than a dozen experts MORE

    - Feb 25, 2014 8:04 PM ET
  • Kevin Mandia: Why selling Mandiant made sense

    The cybersecurity pioneer explains why merging the two top security firms was in everyone's best interest.

    FORTUNE -- Nearly one-and-a-half months ago, security software provider FireEye (FEYE) acquired Kevin Mandia's company Mandiant in a deal estimated at well over $1 billion. But already, Mandia says integration of the two businesses is nearly complete.

    Mandia became a national figure last year after his firm Mandiant, which specializes in responding to computer network breaches, MORE

    - Feb 13, 2014 3:28 PM ET
  • Shape Security's bid to battle botnets

    A young company's new approach to cybersecurity promises to protect websites that, by their nature, expose their underlying code.

    FORTUNE -- There's a reason why you don't hear much about security startups -- there aren't that many out there. Unlike social media tools or mobile apps, developing cybercrime-fighting software can take lots of time. And most investors, not to mention customers, don't want to put their money and trust in a twentysomething, MORE

    - Feb 6, 2014 1:13 PM ET
  • Cybersecurity is for the C-suite, 'not just the IT crowd'

    Author Peter W. Singer on the cybersecurity issues threatening the American economy.

    By Clay Dillow

    FORTUNE -- "Ninety-seven percent of Fortune 500 companies have been hacked," says Peter W. Singer, "and likely the other 3% have too, they just don't know it." Such is the less-than-rosy picture painted by Singer -- director of the Center for 21st Century Security and Intelligence at D.C. think tank Brookings Institution and bestselling author of MORE

    Jan 6, 2014 12:13 PM ET
  • Target security breach likely to be 'highly sophisticated organized crime'

    Worse: if you think your company is safe, think again.

    FORTUNE -- It took a group of cyber criminals 19 days to steal the personal information of 40 million people from Target's database, but it will take the retailer much longer to recover from the massive theft.

    On Wednesday, security blogger Brian Krebs reported that Target (TGT) was investigating a security breach involving stolen credit and debit card information. The retailer confirmed MORE

    - Dec 19, 2013 3:43 PM ET
  • Huawei (yes, Huawei) pushing for global security standards

    Chinese maker of telecom gear, blocked from U.S. market, seeks to overcome security concerns.

    FORTUNE -- Remember that 1995 Alanis Morissette song, "Ironic?" Well, here's another unexpected situation to add to the singer's long list of ironies: Huawei, the Chinese telecom equipment maker that has been blocked from the U.S. market because of concerns about its alleged ties to China's government, is now pushing for global cybersecurity standards.

    The company MORE

    - Oct 18, 2013 11:20 AM ET
Current Issue
  • Give the gift of Fortune
  • Get the Fortune app
  • Subscribe
Powered by VIP.