There's yet another security nightmare staring down retailers as the Heartbleed bug threatens to expose encrypted data in OpenSSL.
The bug, dubbed Heartbleed, allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. The vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f, explained Mark McCurley, CISSP CAP Security+, senior information security advisor, IDT 911 Consulting.
It appears that Heartbleed allows hackers to trick most systems running any version of OpenSSL, revealing blocks of stored data from the past two years, data that's just sitting in a system's memory. This includes the keys the system uses to encrypt information — exactly the kind of information that shoppers enter and store when making online purchases. Banks and other financial institutions also appear to be vulnerable.
"Conservatively estimated, two-thirds of the Internet's Web servers use OpenSSL to cryptographically prove their legitimacy and to protect passwords and other sensitive data from eavesdropping," said McCurley. "The bug makes it possible for attackers to recover up to 64 kilobytes of memory from the server or client computer running a vulnerable OpenSSL."
Most online retailers' Web servers use a version of Linux for their operating system, which in turn use OpenSSL to provide secure encrypted browsing for their customers. "This is a very serious vulnerability that effects the vast majority of online retailers such as Amazon," said McCurley. "Online vendors are working feverishly to patch the bug."
And while brick and mortar and omnichannel retailers have been working overtime to reform security practices in the wake of several high-profile security breaches, now it's the online retailer's turn to scrub security practices.
-See this TechCrunch story
-See this CNET story
Yahoo encrypts data centers, homepage to stop hackers, government spies
Target catches a break in data breach lawsuit
Shopper blame retailers for data breaches, Congress blames Target
Vendor speaks out on Target data breach
Target accelerating $100 million chip and PIN adoption, finds just 25 registers at fault in breach