Throughout yesterday, messages spread that one of the more notable websites to be affected by the “catastrophically bad” bug was Yahoo.
Test sites like the one created by Filippo Valsorda made it easy for anyone to discover if websites they used might be vulnerable to the OpenSSL flaw.
Very quickly, it became clear that popular sites like Google, Facebook, Twitter, Dropbox, were not affected, but other sites (for instance, dating site OKCupid, Imgur, Flickr, Stackoverflow and Eventbrite) were at risk.
Other Web sites shown as vulnerable by Valsorda’s tool include Imgur, OKCupid, and Eventbrite.
But some boffins went further than that, eager to confirm if it was actually possible to exploit the flaw to scoop up email addresses and passwords from people who had logged into Yahoo.
For instance, early on security researcher Mark Loman tweeted an image which appeared to demonstrate clearly how the Heartbleed bug could be used to expose Yahoo users’ usernames and passwords to malicious hackers.
In a nutshell, Yahoo was leaking user credentials.
Meanwhile, other researchers claimed to have uncovered hundreds of Yahoo users’ passwords.
The sensible thing to do, with faced like evidence like this, is to steer well clear of Yahoo’s servers until it is confirmed that the issue has been resolved.
The hours ticked by, and eventually Yahoo was no longer vulnerable. They won’t have been the last vendor to fix their product from this flaw, but they were far from the first too.
But, amazingly, the OpenSSL Heartbleed bug appears to have been around for about two years. Which means that – in theory at least – this gaping security hole could have been actively exploited by unauthorised parties for a long period of time.
Yahoo is no longer vulnerable to #Heartbleed. They should reset all their users’ passwords though. And that’s only the beginning.
Let’s go back to the question asked in the title of this article. “Did the Heartbleed bug leak your Yahoo password?”
The simple answer is, we don’t know. But it could have.
And because of that, it’s only sensible to assume the worst and take measures now to prevent any harm from being done.
So, how about it Yahoo? Are you going to reset users’ passwords or not?
For more guidance and further reading:
- The Heartbleed bug: serious vulnerability found in OpenSSL cryptographic software library
- OpenSSL advisory
- Test your server for the Heartbleed bug
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.