Sign in with
Sign up | Sign in

Heartbleed: Who Was Affected, What to Do Now

By - Source: Tom's Guide US | B 14 comments
Tags :

Credit: CodenomiconCredit: Codenomicon

UPDATED 9:15 AM EDT Thursday to remove Twitter from list of affected sites, and add OKCupid.

If you've been following the news for the past 24 hours, you've probably heard of the Heartbleed bug that's affecting the security of millions of websites. It's a big deal, with security experts using terms such as "catastrophic" and "devastating."

Unfortunately, there's not a lot the end user can do to fix things. Heartbleed mainly creates problems on Web and email servers. Windows PCs, Macs and mobile devices aren't directly affected, and antivirus software has no impact on Heartbleed. Systems administrators are scrambling to patch server software, but average Internet users have to wait it out.

MORE: 'Heartbleed' Bug Kills Security on Millions of Websites

However, there are a few things every Internet user should do right now. (If you can't wait to see which sites are affected, skip to the end of this story.)

Change your Yahoo, Flickr and Tumblr passwords.

Like millions of other websites, Yahoo and its subsidiaries Flickr and Tumblr were vulnerable to Heartbleed. Unlike many prominent sites, these did not patch their systems before the Heartbleed bug became public knowledge Monday evening (April 7).

Security researchers yesterday (April 8) used Heartbleed to capture usernames and passwords as random people logged into their Yahoo Mail accounts. If the good guys were doing that, you can bet the bad guys were too.

If you used your Yahoo username-password combination to log into other online accounts, change the passwords on those accounts as well.

Consider changing your Google, Facebook and Dropbox passwords.

Each of those services used the affected software and have confirmed they were vulnerable to the Heartbleed bug in the past two years. (Scroll down to see a list of other prominent affected sites.)

We haven't heard of anyone trying to use Heartbleed against those services, but one of the tricky things about a Heartbleed exploit is that it would leave no trace. System administrators simply wouldn't know if they'd been attacked.

MORE: Heartbleed: Where to Change Your Passwords

On your mobile device, log out of all apps, then log back in.

Mobile apps use authorization tokens to keep you permanently logged into Gmail, Dropbox, Yahoo Mail and so on. Attackers could have used Heartbleed to capture those tokens and gain access to your account. But manually logging out of those mobile services, then logging back in a few minutes later, will clear those old tokens and replace them with new ones.

If a service asks you to change your password, do so.

Heartbleed creates a mess for system administrators, and some sites may take days to sort everything out. Even if you change your passwords now, some sites may still be working on the problem and may want you to do it again next week.

If you have a Linux desktop computer, update the OS.

Ubuntu Linux is vulnerable, which means its derivations Linux Mint and SteamOS probably are, too. Other Linux distributions also used the affected software; a more complete list is available at Heartbleed.com.

Set up two-factor authentication everywhere you can.

Two-factor authentication, also known as two-step authentication or two-step verification, makes you enter a code texted to your mobile phone every time you log into a service from a new computer or device. Unless an attacker, even one who used Heartbleed to capture your username and password, literally has your phone, he or she can't log in.

Google, Facebook, Twitter, Yahoo, Dropbox Microsoft and LinkedIn all offer two-factor authentication, and Apple provides it for iTunes accounts (but not iCloud).

MORE: How to Turn On 2-Step Verification

Check websites yourself for the Heartbleed vulnerability.

Various services have sprung up to check which websites have been affected by Heartbleed. There's a list, compiled yesterday by former LulzSec hacker Mustafa al-Bassam, that tells you which of the top 10,000 sites on the Web are vulnerable to Heartbleed; there's also a real-time Heartbleed checker that tells you which sites are vulnerable now, and even a Chrome browser extension called Chromebleed based on that checker.

None of those, however, can tell you whether a site was vulnerable in the past. For that, use Netcraft's Site Report tool. Enter a URL and then check the results: you'll be looking for "Supported TLS Extensions" under the "SSL/TLS" heading. If "RFC6520 heartbeat" is listed, then the site was vulnerable and you should consider changing your password for it.

(Caveat: Facebook passes the Netcraft test, but a Facebook representative told us that the site did indeed use the affected software before the Heartbleed bug was disclosed.)

Look at the bright side.

Believe it or not, there's some good news in all of this. Most servers that run Microsoft software weren't affected by Heartbleed, and plenty of other sites, including Apple, Amazon, eBay, Paypal and most major banks, weren't either.

Systems administrators are going to have a busy week, but it'll be an opportunity for them to implement other security upgrades they've been putting off. You should do the same by creating new, strong passwords for every important online service you use, and implementing two-factor authentication wherever you can. Consider using a password manager, a piece of software that can create and manage strong, unique passwords for each online account you have.

Who was, and who wasn't, affected by Heartbleed

Prominent sites and services openly attacked using Heartbleed, for which you absolutely have to change passwords: Yahoo and, by association, its subsidiaries Flickr and Tumblr.

Prominent sites that have sent out Heartbleed-related password-change emails: Ars Technica, IFTTT.com.

Prominent sites and services formerly vulnerable to Heartbleed attacks, for which you probably should change passwords: Blogger/Blogspot, Dropbox, Facebook, Electronic Frontier Foundation, Etsy, Google, Imgur, Instagram, Netflix, OKCupid, Pinterest, Stack Overflow, Wikipedia, Woot, Wordpress.com/Wordpress.org and YouTube.

Prominent sites and services that don't appear to have been vulnerable to Heartbleed (but we can't be certain): Amazon, AOL, Apple, Ask.com, Bank of America, Bing, Buzzfeed, Capital One, Chase, CNET, Craigslist, eBay, ESPN, Evernote, GoDaddy, Hotmail, HSBC, Huffington Post, Intuit, LinkedIn, Live.com, Microsoft, Newegg, The New York Times, PayPal, Reddit, Salesforce, Target, TD Bank, Twitter, Walmart, Wells Fargo and Zillow.

If you want the gory technical details on what Heartbleed is and how it works, visit Heartbleed.com, read this excellent but dense explanation of Heartbleed by Australian security researcher Troy Hunt or watch this video by security researcher Zulfikar Ramzan.

Heartbleed bug, explained

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Discuss
Add your comment Display all 14 comments.
  • 1 Hide
    JMcEntegart , April 9, 2014 3:54 PM
    Great post!!
  • 1 Hide
    SinxarKnights , April 9, 2014 6:11 PM
    Mojang, makers of Minecraft, Scrolls and Cobalt was affected as well.
  • 0 Hide
    bebangs , April 10, 2014 12:54 AM
    should i panic?
  • 2 Hide
    SinxarKnights , April 10, 2014 12:55 AM
    Quote:
    should i panic?


    Couldn't hurt.
  • 0 Hide
    ddpruitt , April 10, 2014 5:18 AM
    The explanation you linked to has some technical inaccuracies (for one it's not the malloc that causes the problem, it's the actual copy a few lines down). The error is your standard unchecked unsafe memcopy operation. Basically an attacker can read up to 64Kib of the SSL server, whatever happens to be stored there is the attackers (even server password files). You also shouldn't change passwords on a website until the certs are updated, otherwise your new password might be compromised too. You should also change all of your passwords. As pointed out, even if a frontend system isn't vulnerable something on the backend might be. Last time I had my password compromised (KickStarter) I switched to using a password manager, it makes these things much easier to deal with.
  • 0 Hide
    teh_chem , April 10, 2014 6:10 AM
    2nd factor authentication is the easiest thing everyone can do to help secure their accounts--that should be at the very top of the list, after notifying people of the affected services. Disappointing to see it buried in the middle, despite good info in this post.
  • 0 Hide
    slm34 , April 10, 2014 9:33 AM
    Walmart tests vulnerable as of today, 12:30PM EST, 10Apr2014
  • 0 Hide
    slm34 , April 10, 2014 9:54 AM
    Quote:
    Walmart tests vulnerable as of today, 12:30PM EST, 10Apr2014


    A few minutes before, perhaps 12:28PM EST, the filippo.io test showed walmart.com as Vulnerable, I tested it again, as last night I received the "Uh-oh, something went wrong: ..." response from the filippo.io test. It again came back "Vulnerable". After posting to this site, I again tested it, and it came back like last night: "Uh-oh, something went wrong...broken pipe..." which in their FAQ is further described, including..." This error means that I can't tell if the server is vulnerable (probably not)."

    For this site, I would not assume all is well until the "something went wrong" response clears....
  • 0 Hide
    arseniosantos , April 10, 2014 10:26 AM
    I checked chase.com on Tuesday morning, and it _was_ listed as vulnerable up until around 11:00am PDT.
  • 0 Hide
    Tom Tancredi , April 10, 2014 11:47 AM
    Hey Tom's Hardware, HOW about someone test SecondLife and see if they suffer from the issue? Curious if the application clients can be susceptible as well.
  • 0 Hide
    bugmenotplz , April 13, 2014 6:07 AM
    That Netcraft's Site Report tool doesn't seem to work. I don't see "Supported TLS Extensions" anywhere on the page. I tried it on sites that were definitely affected by Heartbleed, such as yahoo and tumblr but still nothing.
  • 0 Hide
    ckaspereli , April 16, 2014 7:45 AM
    The pathological liars at the NSA should've known about this and let the public know but they are
    either incompetent and/or as we've found recently, utterly and contemptuously
    untrustworthy. The clueless immoral SOB's that run the incestuous
    CIA/NSA complex are solely interested in the billions of dollars they get to
    spend that allows them to arrogantly strut and prance about and baldly
    lie to congress fabricating bogus claims of national top secrecy ad
    nauseum.
  • 0 Hide
    ckaspereli , April 16, 2014 8:10 AM
    The pathological screwball liars at the NSA should've known about this issue 2 years ago and let the public know but they were evidently too busy spending hard-earned tax-payer's money on equipment to spy on us and hence are flagrantly incompetent and/or as we've found recently, utterly and contemptuously untrustworthy. The clueless immoral SOB's that run the incestuous CIA/NSA complex are solely interested in the billions of dollars they get to spend that allows them to arrogantly strut and prance about and baldly lie to congress fabricating bogus claims of national top secrecy ad nauseum.
  • 0 Hide
    AlleriaA , June 3, 2014 11:57 PM
    I have used Micro keylogger. Before I bought it, I had compared many keyloggers. Except for slight differences, many of them work the same way. However, Micro keylogger is the cheapest as well as the most full-featured. After having tried the free trial of kinds of keyloggers, I chose Micro keylogger. It is really a good choice at present.
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter