Earlier this afternoon, Yahoo confirmed that hundreds of millions of its users could be made vulnerable by the brand new Heartbleed bug that is taking every server running OpenSSL by storm.
Without much more than a standard server request, security researcher Mark Lohman was able to pull plaintext usernames and passwords right off of Yahoo’s email server without anyone or anything stopping him along the way.
And although the technique is random at best (Lohman could only read the logins that took place while his request was running), he was still able to make off with a decently sized cache of credentials that should have at least been stored in an encrypted format.
(The plaintext passwords above have been obscured to protect the Yahoo Mail users they belong to, a courtesy not everyone exploiting this vulnerability is likely to offer.)
It’s these lack of protections with big firms like Yahoo that have the netsec world worried most about smaller outfits. Companies who have IT departments consisting of one guy who only comes in on Wednesdays and Fridays, these are the targets that present the highest level of risk to anyone who wants to browse the web and still remain safe.
All in all it could take years before every last server on the web is updated to implement the necessary patches and changes required to keep Heartbleed at bay. That said, many of the major players with significant skin in the game have been running their routes like crazy, unleashing armies of engineers and IT gurus into the labyrinths of their server farms to check and double check every last hole to be sure that their OpenSSL certificates are consistently up to date as more information is released about the bug and what it’s truly capable of.