Nearly three years after OpenSSL vulnerability Heartbleed was exposed, nearly 200,000 websites are still affected by the critical bug.
It has been quite a while since Heartbleed was making headlines left and right, and yet here we are, years later, expecting for everyone to be protected from this issue only to find out this ideal could not be farther from the truth.
Heartbleed, as you may remember, is one of the biggest flaws in the history of the Internet, affecting the core security of about two-thirds of the servers in the world. At the time of its discovery, back in April 2014, that number stood at about half a million. The fact that this coding issue is still a problem after so long is mindboggling.
Shodan, a search engine allowing users to find specific types of computers connected to the Internet by using a wide range of filters, has released a report revealing just how many vulnerable devices really are out there. The result was probably as surprising to them as it is to us – 199,500 systems. These are all exploitable by the Heartbleed vulnerability because no one bothered to patch the OpenSSL instances running on the systems.
Heartbleed, as you may remember, is a serious bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension. This allowed attackers to read some portions of the memory of the affected server, exposing whatever data had passed through there.
The report further reveals that the most vulnerable systems come from ten countries. The United States have most of them – over 57,000, while Korea, China, Germany, and France make up the top 5. Russia, UK, India, Brazil and Italy follow up to make up the rest of the top ten nations with most exploitable services.
The top organizations vulnerable to Heartbleed are SK Broadband and Amazon.com, while 75,000 of the vulnerable services on the list use expired SSL certificates and run versions of Linux 3.
Owners of said servers should update the software to the latest version of OpenSSL, patching up the exploit, create new private keys that will prevent an attack, and reissue security certificates.
What is Heartbleed?
Heartbleed is a vulnerability that was discovered in 2014 by a Google engineer, and it immediately drew loads of attention given how widespread the use of OpenSSL is. At the time of discovery, some 600,000 websites were at risk.
Thankfully, when Heartbleed was revealed, a patch was also released so admins across the world could go about and fix the bleeding. Two months later, only half of them had been fixed. It seems that even though so many years have passed, not much has been done about the remaining 300,000 websites, since only a third of them have been fixed. Enough time has passed for everyone to update the systems.
This was the type of vulnerability that was perfect for those who wanted to snoop on private conversations, such as the NSA, for instance, since the Intelligence agency was in the middle of the Snowden scandal at the time. The NSA, however, denied even knowing about Heartbleed but admitted that it had kept such vulnerabilities a secret before.
Heartbleed has worked as glue for tech companies; it pushed them to work together to find a fix, to make sure something like this did not happen again. Google, Facebook, Microsoft, Amazon, and Cisco are just a few of the companies that pledged to donate money so that developers are supported as they work on making OpenSSL better and safer.