A new security bug has been found in OpenSSL, the cryptographic library that secures most of the internet's websites, and Yahoo is one of the of the most well-known domains known to have been compromised.

Security researchers are very concerned as the bug - dubbed Heartbleed - has been around for two years and affects encryption of data sent over the internet, meaning users' passwords and other sensitive data are open to being spied on.

Other websites featured on the top 1,000 websites list compiled by Mustafa Al-Bassam (a former member of the LulzSec hacker collective who is now a computer science student) include popular websites like Imgur, Flickr, OKCupid, WeTransfer, Eventbrite, Web.de, Outbrain, Stackexchange and Kickass Torrents.

It will be difficult to discover if or when you have been compromised as attackers are able to exploit the flaw without leaving any trace of their presence.

What is OpenSSL?

OpenSSL is the software library used in servers, operating systems, email and instant messaging systems to protect internet traffic as it travels back and forth. More than 53% of the web servers which host more than 500 million websites use the software which relies on OpenSSL

(Source: NetCraft)


The bug was first brought to light by security firm Codenomicon, who attempted to attack their own servers:

What is Heartbleed Bug? IBTimes UK

"We have tested some of our own services from attacker's perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," they wrote on an in-depth information page.

Codenomicon adds that anyone on the internet exploiting the flaw will be able to read the memory of a machine that's protected by a vulnerable version of the OpenSSL library.

Security researcher Filippo Valsorda has developed an online test that allows anyone to find out whether a server is vulnerable to being attacked, simply by entering the server's hostname.

Not an TLS/SSL flaw

A new version of OpenSSL, version 1.0.1g is now available to download to patch the flaw, which was caused by an implementation problem in the OpenSSL cryptography library, not a design flaw in SSL/TLS - the protocols used to provide secure communication online.

"There is no flaw in the TLS protocol or the way it is designed, it's simply an implementation bug that has a catastrophic failure mode. The error is the code equivalent of a typo. But some typos are worse than others," explains Paco Hope, Principal Consultant, at Cigital, a consulting firm which helps organisations to develop secure software.

"The vulnerabilities in the software you use matter just as much as vulnerabilities in code you write. Finding and fixing such bugs requires applying security throughout the software lifecycle and on all the relevant code, not exclusively at the end and not just exclusively on code you write. And if you acquire software from third parties, you care about what they integrate into the product as much as what they write for you."

Fox IT has published a list of indicators that can help companies to identify if their servers may be vulnerable.

According to Fox IT, attackers can retrieve the source code of the website, usernames and passwords, as well as private SSL keys.