Hundreds of thousands of web and email servers worldwide have a software flaw that lets attackers steal the cryptographic keys used to secure online commerce and web connections, experts say.
They could also leak personal information to hackers when people carry out searches or log into email.
The bug, called “Heartbleed”, affects web servers running a package called OpenSSL.
Among the systems confirmed to be affected are Imgur, OKCupid, Eventbrite, and the FBI’s website, all of which run affected versions of OpenSSL. Attacks using the vulnerability are already in the wild: one lets a hacker look at the cookies of the last person to visit an affected server, revealing personal information. Connections to Google are not vulnerable, researchers say.
SSL is the most common technology used to secure websites. Web servers that use it securely send an encryption key to the visitor; that is then used to protect all other information coming to and from the server.
It is crucial in protecting services like online shopping or banking from eavesdropping, as it renders users immune to so-called man in the middle attacks, where a third party intercepts both streams of traffic and uses them to discover confidential information.
Source: Guardian UK | Alex Hern