Heartbleed bug takes bite out of encryption, affects Yahoo and others

Note: This post has an updated Yahoo statement below.

Amid security and privacy concerns galore — plus tech companies’ plans and promises to better protect their users — comes a new bug called Heartbleed. The researchers who discovered it say it’s a doozy. And Yahoo users might want to pay attention.

The vulnerability in OpenSSL encryption affects nearly 70 percent of the Web, the researchers said Monday night. And it could hit home for many, because among other things it can expose Yahoo passwords. CNet reports that a security firm and a developer were able to exploit the flaw and obtain at least a couple of hundred Yahoo usernames and passwords. Yahoo is aware of the problem and is working on a fix, a company spokeswoman told us this morning. (See below for an updated statement from Yahoo.)

The affected version of OpenSSL allow attackers to “eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” according to the researchers, who reportedly work at Google and security firm Codenomicon.

According to CNet, a tool that checks websites for vulnerability to Heartbleed showed that Google, Microsoft, Twitter, Facebook, Dropbox and others were not affected, but that Imgur, OKCupid and Eventbrite were.

Update: Yahoo has sent us a new statement. “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now.”

Illustration from MCT archives

Levi Sumagaysay Levi Sumagaysay (4063 Posts)

Levi Sumagaysay is editor of the combined SiliconBeat and Good Morning Silicon Valley. She also helps take care of SiliconValley.com, the Mercury News tech website. Email: lsumagaysay (at) bayareanewsgroup (dot-com).