THE heart of the Internet is “bleeding” from a bug in widely-used encryption technology, according to security experts.
The online threat, code-named Heartbleed, could affect millions of Chinese computer users by exposing their passwords, credit card numbers and other sensitive information to potential theft by computer hackers.
“Heartbleed is the No. 1 online threat this year,” said Shi Xiaohong, a security expert with Qihoo 360.
Shi likened it to a “nuclear crisis in the Internet landscape” due to its potential for damage.
More than 30 percent of domestic websites requiring web log-ins — covering online payment, e-commerce, online bank and e-mail services — have been affected by the bug. Users can’t protect their information if they have used the services of websites with OpenSSL encryption technology, even if their computers are well protected by anti-virus tools, according to Qihoo 360.
The security researchers who uncovered the threat are particularly worried about the breach because it had gone undetected for more than two years. Hackers may have been exploiting the problem over that period.
Domestic websites, including Taobao, the online shopping site, and train ticket site12306.cn, and global sites such as Yahoo were found to have the bug. By yesterday evening, most websites had been upgraded to fix the bug.
“All of our websites, including Taobao, Alipay and Tmall are safe now with system upgrading,” Alibaba said.
Beijing-based Qihoo 360 sent alerts to around 120,000 website owners in China urging them to upgrade their systems.
The Heartbleed bug was found by Google Inc and US security firm Codenomicon, and prompted the US government’s Department of Homeland Security to advise businesses to review their servers to see if they were using vulnerable versions of OpenSSL, Reuters reported.
Ordinary computer users are advised to change passwords or at least not to access websites that haven’t been upgraded.
Yahoo, which has more than 800 million users worldwide, said most of its most popular services — including sports, finance and Tumblr — had been fixed, but work was still being done on other products it didn’t identify.
In a statement, it said it was “continuously working to protect our users’ data.”
Day|Week|Month