The flaw could help hackers steal information, including credit card numbers and personal consumer data, from inside servers that operate e-commerce sites. But patches and other steps could help web merchants reduce any risk of fraud, experts say.
Thad Rueter , Senior Editor
Big, huge, deeply worrying—but certainly not catastrophic if the right steps are taken. That was the early view today about the impact the latest web security flaw will have on e-commerce.
Called the Heartbleed Bug, the flaw could help hackers steal information, including credit card numbers and personal consumer data, from inside servers that operate e-commerce sites. The attack also could enable criminals to create web sites that mimic real ones and which could be used to steal from consumers, experts say. While those experts could point to no such thefts today, they say retailers will have to keep their eyes open to make sure they are not victims of fraud.
“Potentially everything is at risk,” says Paul Hill, senior consultant at web security firm System Experts.
The flaw involves free web encryption tools called OpenSSL. Such encryption enables web site operators to protect such data as payment information, user names and passwords—important at all times, but especially so as more consumers use mobile devices from Internet hotspots. Consumers can typically identify sites that use OpenSSL by a digital representation of a padlock or the HTTPS at the beginning of a web address.
“The error allows an attacker to trick the server into disclosing a substantial chunk of memory, repeatedly,” says Ivan Ristic, director of application security research for web security firm Qualys. “As you can imagine, process memory is likely to contain sensitive information—for example server private keys for encryption. If those are compromised, the security of the server goes down the drain, too.”
Because of the widespread use of OpenSSL—SSL stands for “secure sockets layer”—experts have estimated that up to two-thirds of web sites around the world could be impacted. Jeff Schmidt, CEO of cybersecurity firm JAS Global Advisors, says that OpenSSL is the most common SSL implementation in the Linux and Unix operating systems, but not the Microsoft operating system. The problem impacts only secure web pages—that means someone browsing the news at CNN.com doesn’t have reason to worry about his information being stolen.
E-commerce operators and companies involved in online marketing today acknowledged the seriousness of the Heartbleed bug and reassured consumers that security was under control. “This means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal e-mails, and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit,” wrote microblogging platform provider Tumblr today.
Online marketplace Etsy Inc. No. 38 in the Internet Retailer 2013 Top 500 Guide, says it learned about the bug Monday. “We quickly began to determine the exposure of both our own systems, and those of our partners,” Etsy says in a notice to consumers. “As of right now, we have no indication that an attack has been conducted against Etsy beyond testing the vulnerability, but this type of issue makes it very difficult to detect, so we’re proceeding with a high degree of caution.”
Such e-commerce giants as Amazon.com Inc., Google Inc. and eBay Inc. reportedly were found safe from the bug after testing, but none of the companies provided immediate comment. The bug also hit e-mail providers including Yahoo Inc., says Julie Fergerson, vice president of emerging technologies at payment security service Ethoca Ltd. That means is that if a user uses an Yahoo e-mail address for their e-commerce accounts or bank accounts “a takeover will be relatively easy if the crooks have compromised the user ID and password at the e-mail provider,” she says. Yahoo provided no immediate comment.
So what is the problem and what steps can retailers take to secure their sites and information?
According to web security firm Codenomican and similar experts:
• The flaw affects OpenSSL1.0.1 through 1.0.1f.
• The bug was introduced on OpenSSL in December 2011 and, in the words of Codenomican, “has been out in the wild” since OpenSSL was released in March 2012. What have the attackers been doing since then? No one could say, but Schmidt says that if criminals were stealing encryption key information from SSL certificates, that would enable the attackers to set up phishing sites that seek to attract unsuspecting consumers, usually via e-mail that purports to come from legitimate retailers, banks or other companies.
• OpenSSL 1.0.1g, which was released in April, fixes the bug.
Retailers should take the following immediate steps to make sure they are secure, according to experts:
• Test their web infrastructure for flaws—but make sure to use vetted testing tools from Qualys Inc. and other reputable vendors, lest a tool represent another attempt by criminals to get into the system.
• Contact their web security vendors, which are likely to have software patches ready to go that will fix the problem.
• If a company does its own software maintenance, it should recompile its OpenSSL library.
• Revoke and reissue SSL certificates. That will likely require technical assistance from security vendors. “It’s not hard, just irritating,” Schmidt says. “If you have a lot of web servers, it will take some time.”
• Keep a watch out for an increase in chargebacks and other signs that might point to fraud. “Merchants should stay vigilant for any unusual activity, and look for attributes of an account takeover [such as] shipping to addresses that might not make sense, resetting credentials, coming in from new or unknown IP addresses or unknown device IDs,” Fergerson says. “Unfortunately these are all also attributes of good consumers, which is why account takeovers are so hard to detect.”
The “worst possible thing” that could arise from the OpenSSL attack is that criminals are able to grab the private keys that enable encryption, setting the stage for future attacks and fraud, Schmidt says. But as long as e-commerce operators get the patches and follow the other steps, he anticipates no major impact in the long term.