heartbleed

Heartbleed Bug Series Part-2: So, How Bad is it?

The newly discovered Heartbleed bug is being touted as the Web’s worst security bug ever. So, I decided to write a series of 3 posts explaining what it is, which sites are affected and what you should do to protect yourselves from this “Greatest Virtual Horror of All Time.” 

It seems pretty bad but not that Bad.

It isn’t clear which sites have been affected.Some Internet companies that were vulnerable to the bug have already updated their servers with a security patch to fix the issue. This means you’ll need to go in and change your passwords immediately for these sites. Even then, there’s no guarantee that your information wasn’t already compromised, but there’s also no indication that hackers knew about the exploit before this week. The companies that are advising customers to change their passwords are doing so as a precautionary measure.

Although changing your password regularly is always good practice, if a site or service hasn’t yet patched the problem, your information will still be vulnerable.

Also, if you reused the same password on multiple sites, and one of those sites was vulnerable, you’ll need to change the password everywhere. You should not use the same password across multiple sites, anyway.

Below is the list of major sites on which most of the Netizens are registered, courtesy Mashable.

Social Networks

 Service Was it affected? Is there a patch? Do you need to change your password? What did they say?

Facebook

Unclear Yes

Yes

“We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed. We haven’t detected any signs of suspicious account activity, but we encourage people to … set up a unique password.”

Instagram

Yes Yes

Yes

“Our security teams worked quickly on a fix and we have no evidence of any accounts being harmed. But because this event impacted many services across the web, we recommend you update your password on Instagram and other sites, particularly if you use the same password on multiple sites.”

LinkedIn

No No

No

“We didn’t use the offending implementation of OpenSSL in http://www.linkedin.com or http://www.slideshare.net. As a result, HeartBleed does not present a risk to these web properties.”

Pinterest

Yes Yes

Yes

“We fixed the issue on Pinterest.com, and didn’t find any evidence of mischief. To be extra careful, we e-mailed Pinners who may have been impacted, and encouraged them to change their passwords.”

Tumblr

Yes Yes

Yes

“We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.”
Twitter No Yes

Unclear

Twitter wrote that OpenSSL “is widely used across the internet and at Twitter. We were able to determine that [our] servers were not affected by this vulnerability. We are continuing to monitor the situation.” While reiterating that they were unaffected, Twitter told that they did apply a patch.

Email

Service Was it affected? Is there a patch? Do you need to change your password? What did they say?

AOL

No No

No

AOL told Mashable it was not running the vulnerable version of the software.

Gmail

Yes Yes

Yes*

“We have assessed the SSL vulnerability and applied patches to key Google services.”*Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.

Hotmail / Outlook

No No

No

Microsoft services were not running OpenSSL, according to LastPass.

Yahoo Mail

Yes Yes

Yes

“As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.”

 

Other Companies

 Company Name Was it affected? Is there a patch? Do you need to change your password? What did they say?

Apple

No No

No

“iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.”

Amazon

No No

No

“Amazon.com is not affected.”

Google

Yes Yes

Yes*

“We have assessed the SSL vulnerability and applied patches to key Google services.” Search, Gmail, YouTube, Wallet, Play, Apps and App Engine were affected; Google Chrome and Chrome OS were not.*Google said users do not need to change their passwords, but because of the previous vulnerability, better safe than sorry.

Microsoft

No No

No

Microsoft services were not running OpenSSL, according to LastPass.

Yahoo

Yes Yes

Yes

“As soon as we became aware of the issue, we began working to fix it… and we are working to implement the fix across the rest of our sites right now.” Yahoo Homepage, Yahoo Search, Yahoo Mail, Yahoo Finance, Yahoo Sports, Yahoo Food, Yahoo Tech, Flickr and Tumblr were patched. More patches to come, Yahoo says.

Password Managers

Password Manager Name Was it affected? Is there a patch? Do you need to change your password? What did they say?

1Password

No No

No

1Password said in a blog post that its technology “is not built upon SSL/TLS in general, and not upon OpenSSL in particular.” So users don’t need to change their master password.

Dashlane

Yes Yes

No

Dashlane said in a blog post users’ accounts were not impacted and the master password is safe as it is never transmitted. The site does use OpenSSL when syncing data with its servers but Dashlane said it has patched the bug, issued new SSL certificates and revoked previous ones.

LastPass

Yes Yes

No

“Though LastPass employs OpenSSL, we have multiple layers of encryption to protect our users and never have access to those encryption keys.” Users don’t need to change their master passwords because they’re never sent to the server. But passwords for other sites stored inLastPass might need to be changed.

This List was last updated on April 12 2014. Mashable has also posted about other sites (financial,etc.) which you could be registered on so, go check that out!

Check out other parts of the series:

Heartbleed Bug Series Part-1: So, what is it anyways?

Heartbleed Bug Series Part-3: How to protect oneself?

Advertisements

Published by

Shaminder Pal Singh

I am a student by day and tech blogger by night. I try to bring to the public the latest and greatest news from the tech world!

2 thoughts on “Heartbleed Bug Series Part-2: So, How Bad is it?”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s