Heartbleed bug – how to stay safe from the online security flaw

From Google to Facebook and YouTube to Yahoo!, this week has seen a major security flaw uncovered in many of the world’s biggest websites. The Heartbleed bug is estimated to have affected half a million websites, potentially rendering secure user information available to hackers.

Most worryingly, it means your email, cloud storage and banking passwords may no longer be secure, but don’t press the panic button just yet. Several websites have already addressed the vulnerability, and we’re here to help when it comes to restoring the integrity of your accounts.

Laptop reviews – our test lab verdict on 41 new laptops

What is the Heartbleed bug?

OpenSSL is used to encrypt and secure various connections on the internet so that a third-party (i.e. hacker) can’t intercept the data transmitted. If you know how to exploit the bug Heartbleed renders this security measure void. This means usernames and passwords can be harvested by ne’er-do-wells for their own personal gain.

Is your account likely to have been hacked?

The Heartbleed bug first originated in March 2012, but was only discovered recently by researchers for Google and Finnish security firm Codenomincon. Because an attack targeting Heartbleed leaves no footprint, it’s impossible to know how many people may have been affected.

This is troubling as many of the world’s most popular websites have been found to be vulnerable. What’s important now is knowing which of these have fixed the bug, and are safe to use your credit card and other personal details with.

Which websites have patched up the Heartbleed flaw?

At the time of writing, the following major websites have been confirmed to be protected from the Heartbleed bug:

  • Amazon
  • eBay
  • Google
  • Facebook
  • Microsoft Live
  • Netflix
  • PayPal
  • Twitter
  • YouTube
  • Yahoo!

You can also rest easy when using Which.co.uk, Which? Tech Daily, Which? Conversation and any other Which? affiliated website. A more extensive list of protected sites is available from CNET. And, to test a website yourself, use the Qualys SSL Server Test which will produce a result similar to the image below for protected sites.

which heartbleed

If a website is patched against Heartbleed, is it safe to use?

The short answer is ‘yes’, but you should really change your password to be doubly safe. When writing a new password be sure to use a mixture of letters, numbers and characters. Also, be careful not to fall into the trap of using ‘password’,‘psswd’, ‘12345′, ‘00000′ or your own surname to protect yourself. It seems like an obvious mistake to avoid, but countless web users haven fall into this trap. For more information, read our guide to creating the perfect online password.

Finally, we’d recommend keeping an eye out for suspicious activity related to your bank account and shopping sites over the coming weeks. Chances are you should be OK, but a little extra precaution never hurt anyone.

More on this

Email scams – how to spot a convincing fake
Security software program reviews – our test lab verdict
How to stay safe online – the Which? expert guide

12 replies

  1. The list above does not distinguish between websites that have never been at risk (do nothing) and those that have fixed the problem (change your password now). This is very unhelpful.

    1. JPL is quite right. We need to know:

      – Websites never at risk
      – Websites that were at risk, but are now fixed
      – Websites that are still at risk

      Hopefully the latter group will migrate to the second group, so these two groups need to be updated regularly.

  2. A couple of small points.
    1. The date for the start of the problem is slightly wrong. The programmer released the faulty code on 31 Dec 2011. It became available for general use during January 2012. We have no way to know quite when sites started to use it but February/March 2012 is likely.
    2. The article states that ‘OpenSSL’ is used for securing Internet connections. True but not quite accurate. ‘SSL’ is the service used as described. There are several different versions of the SSL code available for web-sites to use. ‘OpenSSL’ is one of the free versions which anyone can download free and use. Good commercial sites (e.g. most banks) do NOT use this code, and in fact any reputable company should be using a ‘paid for’ version of SSL and would not then have this ‘Heartbleed’ bug problem which applies only to the free ‘use at your own risk’ software. Only companies that have tried to provide web services ‘on the cheap’ have been affected – unless they used a third-party to set up the web-site and they did it on the cheap without telling their client.
    3. The bug can expose any data which happens to be in the server’s memory at the time, not only usernames and passwords. The data the attacker gets is random and must be scanned for interesting values.
    4. The problem only occurs when the user keeps an inactive session open. If you login, do a transaction and logout again straight away you are not exposed. This is the way that SSL was designed to be used.

    1. For other readers clarification, this is not quite correct on a couple of points:

      #2 – just because something is open source or “free” does not always reflect on its effectiveness and quality. Many large commercial organisations will and do use “free” and open source 3rd party libraries in their proprietary code. The sad fact is that often they do not donate or contribute to these projects. You should not assume that if its paid for it is necessarily better of more reliable.

      #4 – Not 100% sure you are correct here; Anything the server has in running memory could be exposed, including but not limited to passwords, for example encryption keys and certificates. If you logout does the server immediately dump the session from memory? Im not sure it does. Best approach if you are unsure is as stated in the article: 1. ensure the site is patched, 2. update any passwords, regenerate any keys.

    2. MarkC:
      Hi, re #2 – Sorry, I was not perhaps as clear as I needed to be. My intention was to clarify that not all sites using SSL had the exposure, only those sites using ‘OpenSSL’. As you say, much ‘free’ software is equally as good as the paid software, and in some cases is considerably better. I was in no way meaning to denigrate ‘free’ or other non-commercial software. But I don’t think that banks etc. making millions from Internet services should be sponging off others work – from your comment I suspect that you don’t either.
      re #4 – I think I stated in my #3 that any data can be exposed by this bug, any data at all. We are not allowed to go too technical in this blog – but only data which happens, at the time of the ‘hacked’ heartbeat, to be in storage just after the heartbeat data is exposed. The amount of data (number of bytes) exposed depends on what byte-count the hacker put in the modified heartbeat package – but it is only a limited (I believe the maximum is 4KB but I could well be wrong) in storage at that point is exposed, not the entire many Megabytes of application memory space. Once the user terminates the session (i.e. logs out or closes the browser window) there will be no more heartbeats from his browser hence no more direct exposure of his data. As you suggest it is theoretically possible that some ‘user1 data’ could remain in the application storage area due to poor memory management in the server application and this could be returned to the ‘bad guy’ during a heartbeat response to some other user whose heartbeat package got assigned storage just ahead of the residual data. If this happened it would be difficult to associate the data with the original ‘user1’ closed session. Would depend a lot on the applications (or openSSL’s) memory management.
      The recommendation to all users of sites which might be impacted to change passwords is certainly correct – as soon as you know the site is fixed. Or change it now and again later to be safer.

    3. A small update to my own comment above. The amount of data which can be compromised in an attack is 64KB. Rather a lot and certainly enough to possibly contain security information such as certificates, usernames and passwords.

  3. Worrying situation for the non-expert.
    I received an email purporting to come from Norton (I use 360 version) alerting me to Heartbleed problem. Ididn’t open but after consulting friends deleted message. Email from friend A was expected with details of time of meeting of group. Received a message containing only a website address; replied to friend querying message but did not try to open the link. Later received expected e-mail. After consulting have deleted the mystery message which was it is assumed result of sthg forwarded to said friend…..
    Surely Norton will have fixed any holes in the fence without telling us by individual message.
    What else to do? Do I have to change all/some passwords? Or sit tight?

    1. Hi Martino,
      This is certainly a very worrying problem – not only for the non-expert. We have for several years been assuming that we could all rely on SSL to keep sessions safe. We should not have been complacent – the original specification for SSL (it is available online) does warn that the design is susceptible to so called ‘man in the middle’ attacks. That means if someone can plant malicious code on a server which sits between you (your computer) and the server you are accesing, they can potentially break the encryption. The hearbleed bug does not break the encryption nor give access to the data that you transmit over the compromised connection, but does possibly give access to data in memory on that server.
      This is not in itself a problem that Norton, or the other Internet security software companies, can ‘solve’. Every web server that uses the broken ‘OpenSSL’ code must be updated to the new fixed version – millions of them. There is also a disturbing possibility that some user systems (Android based) may (note – may) have been shipped with versions of SSL based on the bad source code – this possibility is I believe still under investigation.
      As per the post on 17th April by BobH – what we all really need is a central list of what servers have been affected and when they were fixed. Then we know for certain what passwords or similar we should be concerned about.
      If you regularly use any site with SSL (normally using a browser where a little gold padlock appears in the address bar, or possibly also ‘secure’ e-mail) and stay on the site for some time it may be best to play safe and change your passwords. Look on each site you use and see if they provide any information about their exposure to heartbleed – ie ‘never exposed’, ‘we were exposed but are now safe’ etc. Yesterday I checked again on two banking sites I use and neither even bother to make any mention of it! If in doubt – change your passwords – does not cost anything and it is always a good idea to change them from time to time – do it again in a few weeks.
      Be vigilant, and as you have already done – be very careful about strange e-mails – no way to tell whose account has been hacked.

  4. Thanks Norman
    A bit clearer now. And potential for a “road crash” wider than I thought since problem is “under the radar” provided by virus etc protection services. Will take your advice and be aware…..
    One more argument against DIY banking on line!

Create account

You can leave a reply without having a WordPress account, but if you do register you can upload an avatar. A WordPress account is not connected to your Which? login and cannot be used to login to which.co.uk or any other Which? services.

Sign up