Someone with the online handle Holmsey79 logged into Yahoo yesterday, and his account was instantly hacked. Simply because he logged in, a computer research firm called Fox IT was able to grab his online credentials from Yahoo’s servers, including his password and online session cookie.
This instant hack was made possible by Heartbleed, a bug in the internet’s infrastructure that some are calling the worse thing they’ve seen in years. “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11,” security expert Bruce Schnier, wrote on his blog today.
The bug is such problem, it may require what amounts to a massive password reset for the internet at large. Some services are already calling on users to reset their passwords, including Yahoo’s Tumblr service and Heroku, a cloud service that runs all sorts of other applications. An informal survey of 10,000 internet sites, run on Tuesday, found that about 6 percent were vulnerable, but that doesn’t paint the full picture. Amazon’s load balancing service, used to help keep so many websites online, was vulnerable as well.
There are a couple of reasons why security experts say the bug is such a problem. First off, although the Heartbleed was disclosed only this week, it’s been floating around in OpenSSL — one of the most widely used pieces of internet software — since 2012. OpenSSL is what about two-thirds of the world’s websites use to make secure internet connections to browsers. It’s what you use to log in to your banking website, or Gmail, or your corporate virtual private network.
But what makes Heartbleed really bad is the way it completely obviates the web’s security. Thanks to the flaw, an attacker can trick any vulnerable SSL server into simply dumping about 64 thousand bytes of its memory. It’s a bit like going to the post office to pick up your mail and getting an extra 64 letters by mistake. You may get nothing useful. Or you may get something extremely valuable. On Tuesday, the Fox IT researchers got Holmsey79′s password and session cookie. In short, everything you’d need to access a Yahoo account.
The thing that has folks like Schneier most worried is the idea that a server might give up its private encryption keys to this attack. That would give attackers who had been logging encrypted traffic sent to and from the server a way of reading that encrypted data. Right now, there’s some preliminary evidence that this may not be possible, but the jury is still out. “It’s early days yet with the vulnerability, so precisely how well people can weaponize it remains to be seen,” Morgan Marquis-Boire, a researcher at the Citizen Lab, University of Toronto who also works as a security engineer at Google.
Some sites aren’t vulnerable. These sites never updated to the buggy 2012 version of SSL, or, as was the case with Google and Cloudflare, they were able to patch the flaw before it was disclosed on Monday. Right now, though, it’s just not clear who was ever vulnerable to the flaw, and whether some evil hacker or three-letter-government agency has been quietly exploiting it to snarf up data over the past two years.
The Big Reset
That’s why we’re on the verge of a giant password reset. “I think over the next 48 hours, we’ll see number of providers issue strong recommendations to reset their passwords,” says Matthew Sullivan, a security researcher who blogged about how the bug could be used to steal someone’s online credentials. “I think it would be wise for Yahoo to certainly issue a strong warning, and there are probably several other websites that would do the same.”
Yahoo’s Tumblr is already saying it. “This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” the company said in a post. SalesForce’s Heroku division is advising password resets too.
“Does the internet need to do a global password reset? ” says Marquis-Boire. “Possibly not. Should they? Probably?”
But here’s the tricky part. If you reset your password now on a website that is still vulnerable, you’re probably wasting your time. After all, a hacker could theoretically read the new password from a vulnerable computer’s memory as you were resetting it. And there are scripts out there now, that make it pretty easy to get a memory dump from a vulnerable server. But, two days after its public disclosure, most banks and most responsible web sites have made the update. Facebok is patched. So is Microsoft.
Some are taking action in other ways. We dropped that Yahoo user, Holmsey79, an email to see if a password change was in order, but the message bounced back. “This user doesn’t have a yahoo.com account,” the response said. Apparently, Holmsey79 had dumped the service altogether.