Heartbleed: don't rush to update passwords, security experts warn

Internet security researchers say people should not rush to change their passwords after the discovery of a widespread "catastrophic" software flaw that could expose website user details to hackers.

The flaw, dubbed "Heartbleed", could reveal anything which is currently being processed by a web server – including usernames, passwords and cryptographic keys being used inside the site. Those at risk include Deutsche Bank, Yahoo and its subsidiary sites Flickr and Tumblr, photo-sharing site Imgur, and the FBI.

About half a million sites worldwide are reckoned to be insecure. "Catastrophic is the right word," commented Bruce Schneier, an independent security expert. "On the scale of 1 to 10, this is an 11."

But suggestions by Yahoo and the BBC that people should change their passwords at once – the typical reaction to a security breach – could make the problem worse if the web server hasn't been updated to fix the flaw, says Mark Schloesser, a security researcher with Rapid7, based in Amsterdam, Netherlands.

Doing so "could even increase the chance of somebody getting the new password through the vulnerability," Schloesser said, because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker.

The bug exists in a piece of open source software called OpenSSL, which is meant to encrypt communications between a user's computer and a web server. But security researchers have no way to prove whether or not the flaw, which has existed since at least March 2012, has been exploited.

The bug's age, and its presence in software to which anyone can submit an update, has led to speculation that it could have been inserted and then exploited by government spy agencies such as the US's National Security Agency, which is known to have programs aiming to collect user data. "My guess is accident, but I have no proof," Schneier commented.

Tumblr, which is affected, issued a warning to its users on Tuesday night. Although the firm said it had "no evidence of any breach", and has now fixed the issue on its servers, it recommends users take action.

"This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," it says. The advice to change passwords was repeated elsewhere, by groups including the BBC.

But Rapid7's Schoessler cautioned against doing that. "The estimate is that the larger providers all get patched within the next 24-48 hours [Thursday to Friday afternoon] and I would agree that people should change their credentials when a provider has updated their OpenSSL versions."

Users can check whether a specific site remains vulnerable to Heartbleed with a tool put together by developer Filippo Valsorda.

The Heartbleed vulnerability is only found in a few recent releases of OpenSSL, a software library that lets web servers initiate secure conversations.

In affected versions, it lets attackers potentially read content out from the active memory of a web server.

While some servers have fixed the OpenSSL flaw, the cascading nature of the problem means that they may not be fully safe. The flaw lets a determined attacker steal the private key to a site's SSL certificate, the code that enables all communications with the server to be held securely.

Sites which have updated OpenSSL but are still using the same certificate as before – such as Deutsche Bank's main consumer portal in Germany – may show up as secure on initial inspection, but remain easy for attackers to penetrate.

"Risk to users exist until organisations have updated OpenSSL, acquired a new certificate, generated and deployed new SSL keys, and revoked old keys and certs," says Trey Ford, global security strategist at Rapid7. "Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website."

Yahoo was one of the sites worst affected by Heartbleed, but the firm has now fixed its main properties, including subsidiaries Flickr and Tumblr, and says it is "working to implement the fix across the rest of our sites".

"We’re focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users’ data," a Yahoo spokesperson added.