A security flaw found in an encryption method widely used on websites, including Facebook, Google and Yahoo! potentially exposing web traffic, sensitive user data and content, such as passwords, to cyber criminals.
The Heartbleed bug was found in the OpenSSL software by security researchers from Google Security and Codenomicon - a security testing company - in April 2014, prompting large technology companies to fix their systems.
On the heartbleed.com website, the researchers described the bug as allowing attackers “to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users”.
However, they believe that the flaw has been in the software since December 2011.
Cyber security experts have recommended that users of affected services change their passwords after the service has updated its software.
OpenSSL released an update to repair the flaw and companies had to update their software to be safe. The gap between the announcement of the flaw and a company updating its software however, is a critical moment, providing a window for cyber criminals to pounce.
But even those who fix the software cannot necessarily see if a hacker has taken advantage of the vulnerability to access their systems. Netcraft, which monitors what code is used in each site, said more than half a million trusted websites were vulnerable to the bug.
Above image credit: Reuters
In 2014, the first arrest of a hacker accused of exploiting the Heartbleed bug was announced by the Royal Canadian Mounted Police. The Canadian police force’s cyber crime unit said it had charged a man from Ontario in relation to the malicious breach of taxpayer data from the Canada Revenue Agency website - the country’s tax authority.
The agency said that the social insurance numbers of about 900 taxpayers had been stolen as a result of the vulnerability.
In the same year, American Funds, one of the world’s largest mutual fund providers, became the first financial institution to warn that its customers may be at risk from the security flaw which made much of the web vulnerable to cyber criminals.
Investors using the site between December 12, 2013, and April 14, 2014, may have had their confidential information compromised and were advised to change their passwords, security questions and delete their browsing history.