An Internet bug called Heartbleed has compromised the majority of the secure servers of the Internet using OpenSSL, potentially exposing millions of users private data from email servers, bank servers, almost any service using this widely used system.
The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.
How it works:
Client: Hi, I want to login! My info is "username" and "password".
Server: Ok, you're logged in!
Client: I want to make sure you're still there. I'm going to count down from ten, can you repeat it to me? 10,9,8,7,6,5,4,3,2,1.
Server: Ok, that's 10,9,8,7,6,5,4,3,2,1.
Client: Great!
That's how the heartbeat works. With Heartbleed in effect:
Client: Hi, I want to login! My info is "username" and "password".
Server: Ok, you're logged in!
Attacker: I want to make sure you're still there. I'm going to count down from ten, can you repeat it to me? 10.
Server: Okay, that's 10,username,password.
Because the server never verifies that the client or attacker has sent what they said they would, it just rattles off the requested amount of memory. For a client, this is what they wanted. But an attacker can send much less than they say, getting plaintext info like keys, login info, session cookies and the like.
Here is a list of some sites that were affected click here
It is always a good practice to change your passwords every few months. Also never use the same password for other services that hold private information, such has banking.
The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years.
How it works:
Client: Hi, I want to login! My info is "username" and "password".
Server: Ok, you're logged in!
Client: I want to make sure you're still there. I'm going to count down from ten, can you repeat it to me? 10,9,8,7,6,5,4,3,2,1.
Server: Ok, that's 10,9,8,7,6,5,4,3,2,1.
Client: Great!
That's how the heartbeat works. With Heartbleed in effect:
Client: Hi, I want to login! My info is "username" and "password".
Server: Ok, you're logged in!
Attacker: I want to make sure you're still there. I'm going to count down from ten, can you repeat it to me? 10.
Server: Okay, that's 10,username,password.
Because the server never verifies that the client or attacker has sent what they said they would, it just rattles off the requested amount of memory. For a client, this is what they wanted. But an attacker can send much less than they say, getting plaintext info like keys, login info, session cookies and the like.
Here is a list of some sites that were affected click here
It is always a good practice to change your passwords every few months. Also never use the same password for other services that hold private information, such has banking.
This is just a recommendation: Change your passwords for any services that store sensitive data, just to be on the safe side.
Last edited: