SAN FRANCISCO — The discovery of a significant flaw in software that was supposed to provide extra protection for thousands of websites has thrown the tech world into chaos as experts scrambled to understand the scope of the vulnerability.

On Tuesday, Tumblr, which is owned by Yahoo, became the largest website to disclose that it had been hit by the “Heartbleed Bug” and urged users to change not just the password for its site but for all others as well.

But signaling just how much uncertainty and confusion surrounds the glitch, security experts warned that such a gesture might actually be useless because if a site has not fixed the problem hackers could just as easily steal the new password.

FOR THE RECORD:

Website security: An article in the April 9 Business section about the “Heartbleed Bug” contained a quote offering advice to consumers that was attributed to Andrew Storms, director of DevOps at CloudPassage. It was Chris Eng, vice president of research at the application security testing firm Veracode, not Storms, who said: “Avoid things like online banking and avoid sensitive sites if you’re not sure.” —



Although security analysts wouldn’t go as far as telling users to stay off the Internet completely, they said users should avoid doing anything sensitive like online banking. If it’s necessary to go online, check to see whether a service has said whether they are affected or whether they have fixed the problem.


“The scope of this is immense,” said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi, a Salt Lake City cybersecurity company. “And the consequences are still scary. I’ve talked about this like a ‘Mad Max’ moment. It’s a bit of anarchy right now. Because we don’t know right now who has the keys and certificates on the Internet right now.”

“Heartbleed Bug” is a vulnerability in something called OpenSSL, a technology used to provide encryption of an estimated 66% of all servers on the public Internet. OpenSSL is an open source code that is developed and maintained by a community of developers, rather than by a single company.

While such jargon is unfamiliar to average users, most people online have likely seen the green padlock icon in the address bar of their browser, followed by “https” that indicates that the OpenSSL added security has been enabled.

The vulnerability was discovered separately last week by Neel Mehta, a security researcher at Google, and a team of security engineers at Codenomicon, a security website that has since created a website with information about Heartbleed.


“Heartbleed is like finding a faulty car part used in nearly every make and model, but you can’t recall the Internet and all the data you put out on it,” said Jonathan Sander, vice president of research and technology for Stealthbits Technologies, a cybersecurity firm in Hawthorne, NJ.

It appears the bug was introduced into OpenSSL by a simple programming mistake that then got pushed out as websites around the world updated the version of OpenSSL they were running.

After the discovery last week, news spread quickly around the Web on Tuesday as the implications became clearer. As Tumblr made its announcement, security experts found numerous “exploits” or simple pieces of software widely available online that any hacker could grab and use to attack sites left vulnerable by Heartbleed.

By running such exploits, a hacker could in just a few seconds download countless emails, passwords, user IDs and much other personal information.


“It’s a very simple script,” said Chris Eng, vice president of research at application security testing firm Veracode. “And there’s still a lot of websites out there that are vulnerable.”

An updated version of OpenSSL has been issued, and sites can use that to fix the bug. In addition to updating OpenSSL, sites will need to update many pieces of their security protocols known as keys and certificates that help them confirm the identity of users.

But Internet users are now facing a dilemma: How do they know they can trust a site? Because hackers may have gotten so much personal and website security information, experts are worried they can use that to create fake copies or “spoofs” of real sites that will induce users to disclose even more information.

“Avoid things like online banking and avoid sensitive sites if you’re not sure,” said Andrew Storms, director of DevOps at CloudPassage. “Some people will see it as overkill. But I think that’s the simplest guidance. If you can hold off doing something online for a couple days, then you should.”


chris.obrien@latimes.com

salvador.rodriguez@latimes.com

Twitter: @obrien, @sal19