This exploit can allow attackers to obtain private keys which can be used to decrypt personal and sensitive data, including passwords, credit cards details, and email addresses. The flaw, according to ZDNet's Steven J. Vaughan Nichols, is due to an implementation problem — a programming flaw — rather than that of an issue with its inherent design.
And until the OpenSSL bug, dubbed "Heartbleed," is fixed by web server operators and major companies alike, users should stay clear of certain websites and check them before hand before visiting.
Imgur told ZDNet by email it fixed the Heartbleed flaw this afternoon. A spokersperson for the image sharing service said: "We also invalidated sensitive data such as cookies and session IDs, just to be on the safe side," and noted that the firm did not believe any attacks have taken place on the service as a result of the bug.
Convo also said in a statement that it has "instituted the proper patches," and, "to date, we have no evidence of any breach." Its spokesperson added: "In addition, our at-rest encryption ensures that an SSL breach would not lead to any of our server data being compromised."
Yahoo did not return ZDNet's request for comment immediately, but as of 4pm ET, the site appeared to be "not affected," according to an online checker.
Meanwhile, LastPass users should not be affected by the bug, according to the company, which wrote in a blog post on Tuesday:
"LastPass customers do not need to be concerned about their LastPass accounts. Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys."
The security firm, which as its flagship service allows its customers to use one password for all their websites and services, said it also employs a feature called "perfect forward secrecy," which it says ensures when security keys are changed, past and future traffic cannot be decrypted even when a key is compromised.
At the time of writing, LastPAss was not showing as "vulnerable" on the Heartbleed website checker, which allows web users to check sites if they are vulnerable to the OpenSSL flaw before visiting them.
Update at 2:40pm ET and 3:30pm ET: with statements from Imgur and Convo.