Users who change their passwords before websites update any security vulnerabilities may put their data at more risk. Heartbleed / Via heartbleed.com
An enormous security flaw called Heartbleed that has left more than 500,000 sites vulnerable to attackers
has resulted in many commentators suggesting that internet users should
change their passwords to any websites that might be at risk. These
include the likes of Facebook, Tumblr, and Google, according to a list on Mashable.
But
internet security experts have said people should not change their
passwords just yet. Instead, they should wait until the company sends
them a message, such as the one sent by If This Then That on Wednesday
night.
A security researcher with Rapid7, Mark Schloesser, told The Guardian that users could leave themselves in a worse situation if they change their passwords before any vulnerabilities are fixed, revealing both their former and new passwords in one go.
He
said: “The estimate is that the larger providers all get patched within
the next 24–48 hours [Thursday to Friday afternoon] and I would agree
that people should change their credentials when a provider has updated
their OpenSSL versions.”Trey Ford, also at Rapid7, added that users should avoid entering any sensitive information on vulnerable sites.
This is because the flaw in the SSL keys means an attacker could intercept communication between the user and the server.
Ford said: “Until this is done, attacks may still be able to steal cookies, sessions, passwords, and the key material required to masquerade as the website.”
But there are a number of websites that have already updated their security flaws and recommended for users to update their passwords.
Here’s a list:
“Bad
news. A major vulnerability, known as ‘Heartbleed,’ has been disclosed
for the technology that powers encryption across the majority of the
internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.”
“We
added protections for Facebook’s implementation of OpenSSL before this
issue was publicly disclosed. We haven’t detected any signs of
suspicious account activity, but we encourage people to … set up a
unique password.”
3. Google.
“We have assessed the SSL vulnerability and applied patches to key Google services.”
“As
soon as we became aware of the issue, we began working to fix it … and
we are working to implement the fix across the rest of our sites right
now.”
“We’ve patched all of our user-facing services & will continue to work to make sure your stuff is always safe.”
6. OkCupid
OkCupid
“We, like most of the Internet, were stunned that such a serious bug has existed for so long and was so widespread.”
A new website has been released that allows users to see whether your favourite sites have been affected by the security flaw.
Filippo Valsorda / Via filippo.io
Source: buzzfeed.com
No comments:
Post a Comment