The OpenSSL project on Tuesday disclosed a major security flaw called Heartbleed that could be used by those with malicious intent to spy on the “secret digital handshake” that takes place during secure transactions using Transport Layer Security (TLS) / Secure Sockets Layer (SSL) technology.
Specifically, those that use a certain version of software library OpenSSL are at risk thanks to a minor coding error. Said error allows an attacker to nab certain parts of data that should be secured by the protocol. This data can reveal personal information such as usernames, passwords and credit card information but truth be told, the scope of the vulnerability is much greater.
Once an attacker gets a look at how a site identifies itself, they could use the newfound encryption keys to launch man-in-the-middle attacks and trick people into thinking their storefront is valid. What’s more, since the attacker would have the master key, they can essentially walk right into a system to view previous transactions and the like without leaving a trace or raising suspicion.
The good news is that not all versions of OpenSSL are affected and better yet, there’s already a fix in the wild. That probably isn’t too comforting at this point considering how long the vulnerability remained unpatched and since they attack would leave no traces, there’s no telling how often it was used and by how many people.
As such, you have to assume that every site was attacked. And with sites like Yahoo, Imgur and Flickr on the list, it’s probably a safe bet that some of your information got out.
The best course of action is to avoid affected sites until they have been patched and change your login credentials after the fact.
