SciTech

Dangerous Heartbleed bug may bleed your online accounts

Credit: Eunice Oh/ Credit: Eunice Oh/

It’s likely that you have heard of the Heartbleed bug, which recently made headlines in the technology community. Although the bug began as a simple code mistake that occurred two years ago, its consequences have propagated across the Internet and have only recently been independently discovered by Neel Mehta of Google Security and a team of security engineers at Codenomicon, according to heartbleedbug.com.

The bug had such far-reaching consequences that a number of private and public companies hurriedly deployed the bug patch, and sent their customers emails urging them to change their passwords because their accounts may have been compromised. The campus community also received an email from Official Communications, informing them that Computing Services was looking into the issue and that Andrew passwords did not need to be changed because the university’s web login at login.cmu.edu was not affected by the bug.

The Heartbleed bug is a serious vulnerability in OpenSSL, a library that is widely used to encrypt private data, such as passwords and financial information, that is protected by the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols. This bug allows hackers to steal protected information without leaving a trace, and, thus, threatens security and privacy over the Internet.

The Heartbleed bug takes advantage of the heartbeat option in the SSL protocol, which is a way for a client computer (e.g. your computer) to check if the connection to the server is still at the other side of the connection, because sometimes the connection is dropped if a computer is inactive for too long. The client computer sends the server a message containing three things: a request for confirmation, a randomly chosen word, and the number of letters in that word.

The server sends back a message containing the same word, confirming that it is still on the other side of the connection. The following slightly simplified conversation, from xkcd.com, highlights how the heartbeat operation works:

Client: “Server, are you still there? If so, reply ‘POTATO’ (6 letters).”
Server: “POTATO”

The Heartbleed bug lies in the fact that the server does not check that the word it has been asked to repeat is of the same length as the number specified by the user. For example, in the above exchange, the computer didn’t check that the word “POTATO” is actually 6 letters long and trusted that the user provided the correct information. A malicious user can provide a large number and then get access to private information about other users, which is stored in the server state. The following is another simplified conversation, this time a malicious one, from xkcd.com:

Client: “Server, are you still there? If so, reply ‘HAT’ (500 letters).”
Server: “HAT. Lucas requests the ‘missing connections’ page. Eve (administrator) wants to set the server’s master key to ‘14835038534’ …..”

As you can see, the malicious user now knows the master key for the server and can exploit that information. The seriousness of the vulnerability lies in the fact that the malicious user can request as many as 64,000 characters with each message and can repeatedly send these messages, getting different pieces of information each time, as the server’s internal state keeps varying depending on the requests that it receives. This type of attack leaves no trace of malicious activity and is hence hard to detect.

Since a lot of major websites use OpenSSL to encrypt their data, the Heartbleed bug has made many accounts vulnerable. A survey conducted by W3Techs showed that 81 percent of websites run on web server programs Apache and Nginx, both of which use OpenSSL. A new version of OpenSSL, with the necessary bug fix, has been released. Most software vendors have promptly updated their systems to the new version, but a few have yet to do so. However, despite the fix, if hackers were aware of the bug before the fix, they may have obtained a lot of information and may be able to use this information to their advantage.

The silver lining is that you can take steps to minimize the chances of your online accounts being hacked.

Changing your password once the website has implemented the fix will secure your account because hackers will only have the old information and, thanks to the fix, can no longer get your updated password. If you receive an email from any service provider asking you to change a password, you should do that as soon as possible. According to mashable.com, you should change passwords for your Google, Facebook, Instagram, Tumblr, Netflix, Venmo, Dropbox, and Github accounts, among others, because they were vulnerable to the Heartbleed bug when it was detected, and have now patched their systems.

It may be a good idea to change passwords for your other online accounts as well, just to be sure that all your accounts are secure.