The security world is in a panic this week about a bug in widely used encryption standard OpenSSL. The vulnerability is lovingly named Heartbleed and it would essentially allow for some very nasty attacks on anyone using those services running the flawed version of OpenSSL.
Hackers could exploit affected web servers by having them dump pieces of user memory, at 64kb a time, which could include a whole load of nasty things, including passwords and encryption keys.
Do I Need To Change My Passwords?
For mobile users, the threat is two-fold. First, they have to worry about those sensitive pieces of data being taken whilst using affected sites. That's a problem at the server end that affects most people on the internet, hence the somewhat premature calls for users to change all their passwords (it is best to wait until you are sure those affected sites have issued the OpenSSL patch). Some have suggested two thirds of the world's internet servers will need to change SSL certificates to prevent attacks.
But they also have to worry about their mobile devices themselves using vulnerable code. It would appear Android 4.1.1 is the only vulnerable smartphone operating system impacted by Heartbleed, as it runs a version of OpenSSL. That would still likely affect millions, though.
Google said it was sending out patching information for Android 4.1.1 to partners. That should mean fixes are coming, although it often takes device manufacturers to secure phones.
Lookout Mobile Security, which has released a tool to detect which Android devices are vulnerable, said: "Unfortunately, if there are no updates available, there isn’t anything you can do. It’s up to the infrastructure teams behind the products and services you use to update their systems. The good news is that we have yet to see any attacks targeting a mobile device, and while this is a credible risk, the likelihood of you encountering an exploit is low."
That means users are just waiting on the companies running the internet and the creators of the devices that connect to the web. Given the severity of this flaw and the significant amount of press it has generated, it's hopeful fixes will be issued widely and soon.
In the meantime, various proof of concept exploits are doing the rounds. The ethical hacking tool Metasploit, which a lot of criminal hackers use too, has included exploit code, meaning it is now simple to get at data held in the memory of those vulnerable servers. Fixes are needed fast.
As for what this means for the future of security on the web, it's clear we are going to have to rethink how we ensure widely used code on the web is not putting people in danger. This was a remarkably basic flaw, according to many in the security profession, and yet the whole community of developers on the OpenSSL project managed to leave it undetected for two years.
One piece of good news has come out of this at least: Neel Mehta, one of the Google researchers who uncovered the Heartbleed flaw, is giving his $15,000 bounty to the Freedom of the Press Foundation.
Otherwise, this has been a bad week for the security of the internet.