Heart Bleed Bug Password Change Advisory: Don’t Do It Yet Expert Suggests, Updating PWs On Key Sites Can Backfire
Heart Bleed Bug password change advisories was all over the Internet when the “catastrophic bug” that some security say is at 11 on a scale of 1-10 has bit servers all over the world. Though the call to update log-ins has been repeated by a lot of major tech giants and websites, Internet security experts suggest that people not rush to change their passwords.
In a report by The Guardian, it noted that security researcher Mark Schloesser said that suggestions by Yahoo and the BBC that people should change their passwords at once - a typical response to a security breach - could make the problem worse if the web server hasn’t been updated to fix the flaw.
Responding to this breach by changing log-ins “could even increase the chance of somebody getting the new password through the vulnerability,” the security expert added. He said that logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker.
The Heart Bleed bug exists in a piece of open source software called OpenSSL, which is designed to encrypt communications between a user’s computer and a web server. Security researchers have no way to prove whether or not the technological flaw, which has existed since March 2012, has been exploited.
According to The Guardian, the bug’s age and its presence in software to which anyone can submit an update, has led to speculations that it could have been inserted and then exploited by government spy agencies such as the U.S. National Security Agency. The latter entity is known to have programs that collect user data.
Tumblr, the famous social media platform with million of users, issued a warning Tuesday night. The Yahoo-owned company said that it had “no evidence of any breach” and has now fixed the issue on its servers, but it still recommends users to take action.
"This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," it says. The Guardian reports that the advice to change passwords was repeated elsewhere, by groups including the BBC.
Schoessler advised against the move. He says that the “estimate is that the larger providers all get patched within the next 24-48 hours [Thursday to Friday afternoon] and I would agree that people should change their credentials when a provider has updated their OpenSSL versions.”
The Heartbleed vulnerability is only discovered in a few recent releases of OpenSSL, a software library that allows web servers initiate secure conversations.