Major Security Flaw Dubbed 'Heartbleed' Rocks the WebCategory: Bugs / Virus
Posted: April 8, 2014 03:20PM
A major vulnerability called Heartbleed was discovered Monday night in the open-source software called OpenSSL, which is widely used to encrypt communications, such as logins. In fact, it's so widely used that the vulnerability affects some of the biggest and most popular sites in the world, including Yahoo, Imgur, OKCupid, and Eventbrite. According to SteamDB.info, even Steam was affected!
The good news is that Yahoo, Imgur, and Steam have already fixed the issue as of a couple hours ago.
Officially called CVE-2014-0160, security firm Codenomicon gave it the more recognizable and memorable name of Heartbleed, which the firm discovered along with Google researcher Neel Mehta. "This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users, and the actual content," Codenomicon said. "This allows attackers to eavesdrop communications, steal data directly from the services and users, and to impersonate services and users."
There is some conflicting information as to just how much information can be obtained, with Codemnomicon saying it was able to steal "the secret keys used for [...] X.509 certificates" in its tests, but Google security expert Adam Langley claiming that his testing didn't reveal such information as sensitive as secret keys. Langley was one of the experts who helped close the OpenSSL hole – a fix which can be implemented by sites using OpenSSL to block Heartbleed, and presumably what Yahoo, Imgur, and Steam used. There is nothing a user can do on their end, other than not using affected sites until the hole is patched.
If you're concerned about entering your sensitive information on a site that you suspect uses OpenSSL, developer and cryptography consultant Filippo Valsorda published a tool that allows people to check sites for Heartbleed vulnerability. Unfortunately, the site's servers are under such heavy load by people constantly checking that it often gives a timeout.
While the SteamDB.info Twitter account advises Steam users to change their passwords and "deauthorize computers" (essentially resetting Steam Guard without ever turning it off), it's important to note that SteamDB.info has absolutely no affiliation with Valve, so it's probably best to wait for an official statement. Since Valve is supposedly resetting all its certificates, it would make sense to change passwords after the new certificates are issued anyway so that there's a new key. SteamDB.info supplied instructions on how to reset Steam Guard since it seemed to cause confusion among many users.