PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Heartbleed Bug Leaves OpenSSL Vulnerable to Attack

Stephanie Mlot
 & Stephanie Mlot Contributor

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

A bug within OpenSSL has left encrypted data supposedly protected by the cryptographic software library open to scammers.

The problem was uncovered by a team of researchers from Google Security and Codenomicon. "This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet," they wrote on their website. "SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)."

The vulnerability has been dubbed the Heartbleed Bug because it was discovered "in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520)," the team said.

Unfortunately, the bug is not new. It was introduced to OpenSSL in December 2011, and has been in the wild since version 1.0.1 was released in March 2012. The fix—version 1.0.1g—launched on Monday. It does not affect all versions of OpenSSL - just 1.0.1 through 1.0.1f (not 1.0.1g, 1.0.0 branch, or 0.9.8 branch).

"As long as the vulnerable version of OpenSSL is in use it can be abused," the researchers said.

Complicating matters is the fact that exploits are untraceable. "We attacked ourselves from outside, without leaving a trace," the team said. "Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."

"This bug has left large amount of private keys and other secrets exposed to the Internet," they warned. "Considering the long exposure, ease of exploitation and attacks leaving no trace this exposure should be taken seriously."

But results appear to vary, as noted by Adam Langley, a Google security expert who helped fix the flaw.

For more, check out SSL Bug Threatens Secure Communications.

Also watch PCMag Live in the video below, which discusses the Heartbleed bug.

About Our Expert

Stephanie Mlot

Stephanie Mlot

Contributor

My Experience

  • B.A. in Journalism & Public Relations with minor in Communications Media from Indiana University of Pennsylvania (IUP)
  • Reporter at The Frederick News-Post (2008-2012)
  • Reporter for PCMag and Geek.com (RIP) (2012-present)

My Areas of Expertise

  • Science & Space
  • Video Streaming Services
  • Social Media
  • Cars & Auto
  • Education

The Tech I Use

  • iPhone 12 Pro
  • MacBook Air (hooked up to a 23-inch Dell monitor)
  • Google Chrome
  • Google Drive
  • Soundcore Life P3 earbuds
  • Various Amazon Echo devices

Read the latest from Stephanie Mlot

Read full bio