Note: This post has an updated Yahoo statement below.
Amid security and privacy concerns galore — plus tech companies’ plans and promises to better protect their users — comes a new bug called Heartbleed. The researchers who discovered it say it’s a doozy. And Yahoo users might want to pay attention.
The vulnerability in OpenSSL encryption affects nearly 70 percent of the Web, the researchers said Monday night. And it could hit home for many, because among other things it can expose Yahoo passwords. CNet reports that a security firm and a developer were able to exploit the flaw and obtain at least a couple of hundred Yahoo usernames and passwords. Yahoo is aware of the problem and is working on a fix, a company spokeswoman told us this morning. (See below for an updated statement from Yahoo.)
The affected version of OpenSSL allow attackers to “eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” according to the researchers, who reportedly work at Google and security firm Codenomicon.
According to CNet, a tool that checks websites for vulnerability to Heartbleed showed that Google, Microsoft, Twitter, Facebook, Dropbox and others were not affected, but that Imgur, OKCupid and Eventbrite were.
Update: Yahoo has sent us a new statement. “Our team has successfully made the appropriate corrections across the main Yahoo properties (Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr) and we are working to implement the fix across the rest of our sites right now.”
Illustration from MCT archives