Heartbleed bug affects Yahoo, OKCupid sites; users face losing passwords

Heartbleed bug affects Yahoo, OKCupid sites; users face losing passwords

Summary: UPDATE 3: Because of a major bug in OpenSSL, Yahoo users are advised not to log in to their email and instant messaging accounts, and other services until the bug is fixed.

SHARE:
TOPICS: Security
12
Screen Shot 2014-04-08 at 1.19.27 PM
A sign of trouble for Yahoo (Image: Fillippo.io)

It's one of the only times you'll see me write this: Seeing the words "yellow submarine" is not a good thing today.

A major flaw in OpenSSL, one of the most popular cryptographic libraries used, has left more than two-thirds of the world's web servers vulnerable to data inspection and snooping by hackers.

This exploit can allow attackers to obtain private keys which can be used to decrypt personal and sensitive data, including passwords, credit cards details, and email addresses. The flaw, according to ZDNet's Steven J. Vaughan Nichols, is due to an implementation problem — a programming flaw — rather than that of an issue with its inherent design.

And until the OpenSSL bug, dubbed "Heartbleed," is fixed by web server operators and major companies alike, users should stay clear of certain websites and check them before hand before visiting.

And that includes Yahoo users, of which hundreds of millions are affected, and also OKCupid, a popular urban dating application. 

Imgur told ZDNet by email it fixed the Heartbleed flaw this afternoon. A spokersperson for the image sharing service said: "We also invalidated sensitive data such as cookies and session IDs, just to be on the safe side," and noted that the firm did not believe any attacks have taken place on the service as a result of the bug.

Convo also said in a statement that it has "instituted the proper patches," and, "to date, we have no evidence of any breach." Its spokesperson added: "In addition, our at-rest encryption ensures that an SSL breach would not lead to any of our server data being compromised."

Yahoo did not return ZDNet's request for comment immediately, but as of 4pm ET, the site appeared to be "not affected," according to an online checker.

Meanwhile, LastPass users should not be affected by the bug, according to the company, which wrote in a blog post on Tuesday:

"LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys."

The security firm, which as its flagship service allows its customers to use one password for all their websites and services, said it also employs a feature called "perfect forward secrecy," which it says ensures when security keys are changed, past and future traffic cannot be decrypted even when a key is compromised.

At the time of writing, LastPAss was not showing as "vulnerable" on the Heartbleed website checker, which allows web users to check sites if they are vulnerable to the OpenSSL flaw before visiting them.

Update at 2:40pm ET and 3:30pm ET: with statements from Imgur and Convo.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Windows is immune

    All versions of Windows (servers, home, workstation, vista, xp, 7, 8) are immune to this flaw. However, the online services you use that is running on Linux or Unix may very well be affected and may leak your passwords and credentials.

    Take care.
    honeymonster
    • Nice trolling....

      Windows has enough vulnerabilities to be worried by one.

      And BTW. Starting tomorrow Windows XP (yes, that's Windows although you may want to deny it) will be open to attacks from all over, just by the neglicence of Microsoft which can't face the fact that some people don't want their newer stuff.
      cosuna
      • ah that's how it works

        Just because some People don't want their newer stuff, Microsoft should support XP indefinitely ?

        Can you name me one Linux distro that actually enjoyed over 12 years of support ?

        And yes the Ssl implementation on Windows is indeed not vulnerable, that is merely a fact.

        And seeing that this particular gem has been present in openssl for over two years isn't exactly a positive point for open source either, quite the opposite really.
        sjaak327
    • Perhaps not

      OpenSSL is sometimes installed on Windows systems; and sometimes web servers other than IIS are run on Windows servers.

      And IIS has had its own history of security problems (does the phrase "Hacked by China" mean anything to you?), so don't crow too loudly.
      John L. Ries
      • Yes openssl used with apache

        Is indeed vulnerable.

        Of course let's not discuss iis problems, it's not like Apache has had a flawless history !
        sjaak327
    • RTF Parsing Flaw

      http://technet.microsoft.com/en-us/security/advisory/2953095
      Alan Smithie
  • OS X is immune as well

    While Apple has had their own major fail ("Apple goto fail") - Web servers running on OS X are not affected by this one.
    honeymonster
    • Depends

      If you're using the MacPorts version of OpenSSL, you are.
      John L. Ries
      • Clarification

        You're vulnerable if you're running the MacPorts version of OpenSSL and haven't updated yet.
        John L. Ries
  • Indeed

    both Windows (doesn't use openssl) and OSX (uses an old version of openssl) are not affected.

    As you rightly pointed out, any websites that you use might leak your credentials :)

    I have just patched two Linux boxes, although both are not publicly accessible on port 443, one was publicly accessible on port 25 (smtp using ssl) so I just replaced the certificates and the private key.

    Good I usually do maintenance on Linux boxes on patch Tuesday, so in that sense, it is not a big issue :)
    sjaak327
  • Heartbleed Detector

    I made the page at http://rehmann.co/projects/heartbeat/ to help diagnose the issue!
    lrehmann
  • So We Are All Doomed Anyways???

    Washington Post (April 9) has a few updates about some major services that fixed the bug.
    http://www.washingtonpost.com/news/morning-mix/wp/2014/04/09/heartbleed-what-you-should-know/

    "Tumblr says it has no evidence of any breach and took immediate action to fix the issue. However, the site suggests that users change their passwords."

    "Amazon has fixed the bug for most of its services...." [apparently refers to just AWS and not main Amazon.com shopping site which is probably okay?]

    "As of 11 p.m. Tuesday, Twitter and Facebook had not posted warnings about the breach on their corporate sites."

    "Around 3 p.m. Tuesday, Yahoo told CNET: “As soon as we became aware of the issue, we began working to fix it. Our team has successfully made the appropriate corrections across the main Yahoo properties...."

    "Google confirmed to Digg.com that it had applied the SSL update to its key services."

    etc. etc. etc.

    my guess is that the major sites got the heads up before the news was made public and got to work right away and were fixed by the time of the middle of the news cycle when this all hit the fan publicly. but it's like we are all doomed anyways....
    i-want-gizmos