Heartbleed bug bites millions of Android devices

The insidious Heartbleed bug and the number of points of vulnerability keep growing, and now it seems millions of Android (NASDAQ:GOOG) handsets could be at risk.

Heartbleed, allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f, Mark McCurley, CISSP CAP Security+, senior information security advisor, IDT 911 Consulting, told FierceRetailIT.

Heartbleed allows hackers to trick systems running any version of OpenSSL, revealing blocks of stored data from the past two years, data that's just sitting in a system's memory. This includes the keys the system uses to encrypt information — exactly the kind of information that shoppers enter and store when making online purchases. Banks and other financial institutions also appear to be vulnerable.

Most online retailers' Web servers use a version of Linux for their operating system, which in turn uses OpenSSL to provide secure encrypted browsing for their customers. "This is a very serious vulnerability that effects the vast majority of online retailers such as Amazon," said McCurley. "Online vendors are working feverishly to patch the bug."

While the early focus was on vulnerable websites, researchers now warn that mobile applications are also exposed. Although most versions of Android are immune to Hearbleed, those running version 4.1.1 are not, according to Google. With roughly 34 percent of users never receiving an update, close to 50 million Android users are left vulnerable to the bug, reported Ars Technica.

Google has said it's working to release a patch, but again, many users don't download patches so vulnerabilities will remain.

For more:
-See this Google blog post
-See this Ars Technica story 
-See this FierceMobileIT story

Related stories:
Heartbleed is the new security risk
Yahoo encrypts data centers, homepage to stop hackers, government spies
Target catches a break in data breach lawsuit
Shopper blame retailers for data breaches, Congress blames Target
Vendor speaks out on Target data breach