If you've been following the tech news, you'll have heard about a new security vulnerability called Heartbleed. This is a bug in a widely used piece of security software, OpenSSL, which can leak data.Heartbleed is more dangerous than most security vulnerabilities for a number of reasons:
- It affects a wide range of sites - when it was first discovered, an estimated 66% of the web was vulnerable
- It's widely applicable - attackers don't need to trick users into doing anything unusual, and they don't need any login credentials
- It's simple enough that unskilled attackers can use it
- In most cases, it's completely undetectable
- The data it leaks can be very high value - the bug effectively leaks randomly selected data from your app, so almost any data could be leaked
Just how high-value is the leaked data? We checked a number of major sites to see if they were vulnerable, and how badly.The worst affected site that we saw was a major UK political party. The data leaked included names, addresses, and credit card details of donors.They have since patched the site, however, and are no longer vulnerable.We also saw leaked user credentials on multiple sites - all of which have since been patched.If you're not sure if your site is affected, you can check online at http://filippo.io/Heartbleed/. If you are, it's imperative that you fix it as soon as possible.If you're still vulnerable at this point, then there's a very strong chance that someone has already taken advantage of this. The bug could leak anything, so you should assume that all of your data has been compromised, and plan accordingly.And even if you don't have a website, this would be a great time to change your passwords!