Dubbed “heartbleed” because it attacks the heartbeat portion of the OpenSSL software that runs on approximately two-thirds of all active websites, this newly identified password vulnerability is causing security advocates to demand action by responsible site owners. Researchers who identified the weakness reported it on April 7th and have already made a free fix available to repair a security hole that may otherwise allow hackers to access encrypted e-mail messages, banking information, user names and passwords.
Since the flaw was revealed, several large websites including Yahoo, Facebook, Google and Amazon Web Services said they were fixing the problem or had already fixed it. Banking institutions have not yet made any mention of data loss or credit card numbers becoming compromised.
Reportedly, the one saving grace of this flaw is that it was relatively simple to spot and as a result very simple to fix. However, OpenSSL is so widespread. and the vulnerability affects the most popular implementation of SSL on the planet. So the risk of companies failing to patch their software is a serious one.
On the commercial website side of things, particularly in the adult market, some site owners are worried that knee-jerk reactions by banks and card associations may trigger a new round of credit card replacements, similar to what happened after the recent Target data breach that resulted in the loss of significant re-bill revenue on recurring accounts that had been billing for longer period of time without interruption but suddenly become unable to recur when new card numbers were issued to clients who were put at risk by an otherwise unrelated hack of a popular department store chain.
