Facebook Inc. and Yahoo Inc.'s blogging site Tumblr advised
users to change their passwords because of the so-called Heartbleed
bug. Canada's tax agency shut its filing website as a precaution,
weeks before its April 30 filing deadline.
Websites for Airbnb Inc., the Four Seasons hotel chain and
Netflix Inc. were vulnerable for a time, said Wayne Jackson, CEO of
Sonatype Inc., which manages open-source software. Airbnb and
Netflix said they had updated their software. Four Seasons didn't
immediately respond to a request for comment.
"It's easily the worst vulnerability since mass-adoption of the
Internet," said Matthew Prince, CEO of CloudFlare Inc., a San
Francisco cybersecurity company.
The hole in the Internet was supposed to fixed quietly.
Researchers at Google Inc. who found the bug told the team in
charge of the code, OpenSSL Project, last week, said Mark Cox, an
OpenSSL manager.
OpenSSL then planned to tell trusted website operators how to
fix the bug before making it public Wednesday. Some big sites,
including Facebook and Akamai Technologies Inc., did get a heads
up, people familiar with the research said.
But by Sunday managers feared that news of the security hole had
leaked to hackers, and so they disclosed it on Monday. That caught
companies from Amazon.com Inc. to Yahoo unprepared.
A Yahoo spokeswoman said the company had "made the appropriate
corrections." Amazon Web Services posted a security bulletin
detailing what services it had updated.
The episode illustrates the delicate task of managing the
Internet's plumbing to keep it safe for banks, social networks and
retailers. When companies find flaws, they have to decide how to
tell as many people as possible without tipping off hackers.
If the news out too quickly, the "patches" to fix the bug may
not be ready, said Christopher Soghoian, a technologist at the
American Civil Liberties Union. Move too slowly, and hackers will
learn of the weakness.
A Google spokeswoman declined to comment on who was notified
early. Codenomicon, whose researchers also helped find the bug,
didn't respond to a request for comment.
The Heartbleed bug is problematic because it affected about
two-thirds of Internet servers when it was disclosed Monday.
Websites where users have to log in increasingly use encryption to
make sure users' personal information is unreadable as it traverses
the Internet.
The majority, including Internet companies, banks and the
federal government, use a free version of this code from OpenSSL, a
library of encryption code for websites managed by Mr. Cox and
three other European developers.
The bug affected OpenSSL versions released in the past two
years. In vulnerable systems, hackers can grab previously encrypted
data from a website's server before it is deleted.
Researchers said it is impossible for a website to detect
whether or not hackers use the bug to steal data. That means
companies can't notify consumers who may have been hacked.
Security teams at Facebook and Akamai, which helps move videos
across the Internet, received similar warnings, people familiar
with the matter said.
"We added protections for Facebook's implementation of OpenSSL
before this issue was publicly disclosed," said a Facebook
spokesman, who declined to elaborate. An Akamai spokesman said the
company was contacted by the OpenSSL team in advance.
Google also had patched its systems ahead of time. The search
giant told users Wednesday they didn't need to change Google
passwords.
The Canada Revenue Agency said that, after learning late Tuesday
about the Heartbleed bug, it decided to halt access to its online
tools that allow individuals and businesses to make tax filings
electronically.
In an update Wednesday, the agency said it was working on a
"remedy" to restore online tax-filing services and expected the
services to resume sometime this weekend.
---
Paul Vieira contributed to this article.
Subscribe to WSJ: http://online.wsj.com?mod=djnwires