A team of security researchers at the University of Michigan has used an open source network scanner called ZMap to search the Internet for servers still vulnerable to the " Heartbleed " exploit, which can be used to retrieve user names, passwords, and possibly even private encryption keys from servers that use the popular OpenSSL 1.0.1 cryptographic library. OpenSSL patched the vulnerability earlier this week, but hundreds of thousands of Web servers and other network-connected devices that use the affected libraries are still vulnerable.

ZMap, developed at the University of Michigan by Assistant Professor J. Alex Halderman and computer science graduate students Zakir Durumeric and Eric Wusterow, can perform a complete scan of the Internet's address space in less than 45 minutes if run on a machine with a gigabit network connection. Durumeric, Halderman, undergraduate computer science student David Adrian, and Research Associate Professor Michael Bailey configured a ZMap scan for the Heartbleed vulnerability, seeded with Alexa's list of the 1 million most popular domains on the Internet.

"As of 4:00 PM on April 9, 2014," the researchers reported in their results, "we found that 34 percent of the Alexa Top 1 Million websites support TLS. Of the websites that support HTTPS, 11 percent are vulnerable, 27 percent safely support the heartbeat extension, and 61 percent do not support the heartbeat extension (and are therefore safe). While we are still completing full scans of the Internet, initial results show that approximately 6% of all hosts that support HTTPS remain vulnerable. We will be updating these numbers as more scan results become available. We are not releasing full Internet-wide scans at this time."

The top domain vulnerable to the Heartbleed bug is Kaskus, an Indonesian social media site, which uses SSL-based connections for user-authenticated sessions. Also showing up in the report (at least as of yesterday) are some sites that may not use SSL in a way that exposes user credentials, such as cloud-based file sharing provider ZeoNet, which uses SSL and TLS to encrypt uploads. It does not use username and password authentication, though the contents of files being sent to service might be at risk through a Heartbleed attack. Twitter photo sharing service Twitpic.com uses OAuth tokens for authentication, not usernames, and is also vulnerable. And some sites that show up on the report may not use HTTPS for anything at all. (One such site, Clickey.com, doesn't properly authenticate itself over a secure connection.)

Perhaps the most attractive target for malicious hackers at the top of the list is Avazu Network, an online advertising network. And a large number of of e-commerce sites are still exposed, including a Russian Android phone store and a number of alternative Android app stores.