A bug within OpenSSL has left encrypted data supposedly protected by the cryptographic software library open to scammers.

The problem was uncovered by a team of researchers from Google Security and Codenomicon. "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet," they wrote on their website. "SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

The vulnerability has been dubbed the Heartbleed Bug because it was discovered "in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520)," the team said.

Unfortunately, the bug is not new. It was introduced to OpenSSL in December 2011, and has been in the wild since version 1.0.1 was released in March 2012. The fixversion 1.0.1glaunched on Monday. It does not affect all versions of OpenSSL - just 1.0.1 through 1.0.1f (not 1.0.1g, 1.0.0 branch, or 0.9.8 branch).

"As long as the vulnerable version of OpenSSL is in use it can be abused," the researchers said.

Complicating matters is the fact that exploits are untraceable. "We attacked ourselves from outside, without leaving a trace," the team said. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

"This bug has left large amount of private keys and other secrets exposed to the Internet," they warned. "Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."

But results appear to vary, as noted by Adam Langley, a Google security expert who helped fix the flaw.

When testing the OpenSSL heartbeat fix I never got key material from servers, only old connection buffers. (That includes cookies though.) — Adam Langley (@agl__) April 8, 2014

For more, check out SSL Bug Threatens Secure Communications.

Also watch PCMag Live in the video below, which discusses the Heartbleed bug.

Further Reading

Security Reviews