If you have a Facebook account or an email account in Gmail that you are using for work, chances are, the confidential information you shared through these websites might have been compromised.
How? Through a security encryption flaw called as the “Heartbleed”.
For starters, Heartbleed’s core is encryption.
The idea is to make sure that whatever information you openly share to a website must be secure and safe.
The concept of encryption is like sharing a unique secret language between two persons. In application, this so-called secret language that only two people can share is called encryption keys.
The user (which is you) has a set of unique keys and the client (a website like Facebook or even a phone app) has also a unique set of keys intended for you. In order to keep potential hackers out of the picture, these keys must be held secure at all times.
For example, when you are accessing your important bank information through the bank’s website, all the raw data under your account is deemed vulnerable. You do not want anyone, except you and your bank, to have an open access to it.
In order to solve that problem, every website has a certain protocol they follow for security purposes. It is commonly referred as Secure Sockets Layer (SSL). Most websites used OpenSSL, which is “an open set of libraries for encrypting online services,” as defined by Mashable.
This means that most of your beloved social networking sites and applications on your smartphones use this kind of protocol. Why? Mainly because it is free and is designed for good functionality.
According to Huffingtonpost, almost 66% of sites we are interacting in a daily basis runs on an openSSL.
Apparently, most websites that are using “HTTPS (Hypertext Transfer Protocol Secure) in the URL (Uniform Resource Locator) is a target for this bug.
And this is where the problem lies.
Heartbleed is a technical flaw of the OpenSSL which meant that all the confidential information you share to Facebook for example, is heavily compromised. A third party might have accessed it and chances are, they might have stolen this data without you knowing about it.
Bruce Schneier, a security expert, has a thorough description of how the attack is made through Heartbleed.
“Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it,” he said.
Fortunately, Heartbleed was identified by researchers and not because there has been an evident case of this threat. However, experts said that despite this bit of good news, whatever you have shared from two years ago has already been compromised in rough assumption.
So what can you do to stop it?
“Even worse, the technical nature of Heartbleed means that as an end user, you are limited in how to protect yourself. The bonus is on the person who manages the web service — or who manages the back-end service the web service uses — not the end user,” reported Christina Warner, from Mashable.
But do not fret.
As a user, you can still protect yourself from such threat. But you have to wait until the website you are using is officially vulnerable and that they have patched their systems up and having a renewed digital certificate. After this, you may now change your password in order to stop further damage.
It is also important to remember that you have to actively log-out at every site you have opened after each session to stop the bug from gathering your precious information.
Facebook and Google (and all the applications they have except for Chrome) has announced that they are indeed vulnerable from the bug. Fortunately, they have patched it up and you may now change your password immediately for security purposes.
For the list of websites that are affected by the bug, you may check it here.