Internet security experts have found a major security bug, Heartbleed, that allowed people to access users’ connection to secure websites and obtain their secure information. The bug now has a patch, though sites still have to implement it.
David Ruben, head of Harvard-Westlake Computer Services, sent an advisory to faculty and staff Thursday saying the none of the school’s websites was affected by the bug.
He said, however, that private accounts could be affect.
“This is not a hoax, it is real,” Ruben’s memo said. “Due to vulnerabilities in some web sites, it is possible that your username and password to those web sites has been compromised. The problem is that there isn’t clear information on what to do about it. For the time being, I would strongly recommend that you not log in to any web sites that have been affected and haven’t implemented a fix.”
All hw.com accounts are safe from the bug, so there is no need to take any actions with them, he said.
Many sites though did have a time period where they were not safe, such as Tumblr, and Yahoo. Other sites claim that they were not using the insecure code at the time, such as Facebook and Twitter. To test a site, people can go to http://filippo.io/Heartbleed/ and enter the site to see if it is safe from the bug.
Even if sites have now patched the bug or claim that the bug never affected them, users are still recommended to change their passwords, especially on sites with sensitive information or for accounts that are important to them.
Still, many are not worried about the chance of their accounts being stolen.
“It’s really not as big of a deal as everyone is making it out to be,” Jacob Gold ’15 said. “None of the sites I use on a regular basis were affected, so I personally haven’t worried very much. If you use Tumblr I guess you have to change your passwords.”
The Heartbleed bug was an issue with Hypertext Transfer Protocol Secure (HTTPS), which is the protocol websites use for communicating with users securely. The Open SSL library, which is the security layer of HTTPS, that many websites used had an issue that allowed people to get into the secure connection and gather any information from the server without detection, including passwords and decryption keys for the whole site.
For more information on the Heartbleed bug, users can visit http://heartbleed.com/.