Changing your password may not be enough to protect users of the world’s leading websites from the security flaw known as the “Heartbleed bug”, experts have warned.
Following revelations of the breach in sites’ security programs, web-users were recommended to change their passwords, but security experts told CNBC that this solution might not be enough due to the lack of traceability of the bug.
“We don’t know to what extent this flaw has been targeted by hackers, we are in the dark here about the extent of how it is been used. We can’t quantify the scale of the damage,” David Emm, senior security researcher at Kaspersky Lab, told CNBC in a phone interview.
The so-called “Heartbleed bug” which was revealed by security firm Codenomicon, was discovered in OpenSSL software—an encryption service used by around two-thirds of websites to protect information sent to and from web pages.
Cybercriminals could use the security hole to steal sensitive personal information. Even more worrying is the fact that the hackers could regain access to the information if they have stolen a “master key” code, potentially making a password change ineffective.
OpenSSL has released an update to fix the problem, and companies including Google, Yahoo and Facebook have upgraded the software. However, it is not clear whether other companies have done the same, making the universal protection for users difficult.
If a firm hasn’t updated the system for its website with the new fix and a user changes their password, this new password will be as vulnerable as if the update hadn’t been carried out.
Security experts say that timing is crucial. Users should only change their passwords when a site has fixed the security flaw.
“Passwords are stored in an encrypted format. The latest bug could give hackers access to the skeleton key to open the central file that has all the passwords in it. So you changing the password doesn’t matter because this guy with the key can come in and look at your password anyway,” Ernest Hilbert, former FBI agent and head of cyber investigations for Europe, Middle East and Asia at risk consultancy Kroll, told CNBC in a phone interview.
The research suggests that the “Heartbleed bug” could have been around for about two years, making the potential scale for cybertheft huge. To make matters more complex, users are unaware about whether a website they are using could have been affected.
Users should be keeping an eye on bank accounts and other areas prone to hacking to see if unauthorized activity has taken place, experts said. But ultimately protection is down to companies, with experts suggesting that websites need to communicate with consumers about the security status of their site.
“It’s the companies and the service providers that really need to go out there, make sure their services are patched correctly and not vulnerable to this Heartbleed bug,” Jeremy Rosenberg, head of digital at Allison and Partners, told CNBC in a phone interview.
“It’s the companies and the service providers that really need to go out there, make sure their services are patched correctly and not vulnerable to this Heartbleed bug.”