A major vulnerability known as Heartbleed (or CVE-2014-0160) was discovered in the widely used Web encryption program called OpenSSL.
SSL is the most common technology used to secure websites. Web servers that use it securely send an encryption key to the visitor; that is then used to protect all other information coming to and from the server
The OpenSSL computer virus went undetected for two years and it allows attackers to steal the keys that protect communication, user passwords, stored files, bank and financial information, and even social security numbers, in a way that goes unnoticed without leaving any trace.
The widespread bug surfaced on Monday April 7, developers rushed out patches to fix affected web servers when they disclosed the problem, which affected companies including Google, Facebook, Yahoo, Pinterst, YouTube etc.
A fixed version of OpenSSL has been released before the problem was announced publicly, CNET has reseached on the top 100 sites in the US and list out which companies are affected and have already patched the bug. On the other hand, developer and cryptography consultant Filippo Valsorda published a tool that lets people check Web sites for Heartbleed vulnerability.
Google said it had applied the Heartbleed patch on its search engine, Gmail, YouTube, Wallet and Play store for mobile apps and other digital content.
Yahoo Inc., which has more than 800 million users around the world, said Tuesday that most of its popular services - including sports, finance and Tumblr - had been fixed, but work was still being done on other products that it didn't identify.
Facebook, which has more than 1.2 billion users, says it had already addressed the issue when it was publicly disclosed.
Twitter and Amazon.com say their websites weren't exposed to Heartbleed. Ebay which runs the PayPal payment service as well as online shopping bazaars, says most of its services avoided the bug.
Computer security experts are advising people to consider changing all their online passwords.
"I would change every password everywhere because it's possible something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker of security-analysis software. "You don't know because an attack wouldn't have left a distinct footprint."
This bug was independently discovered by a team of security engineers at Codenomicon and Neel Mehta of Google Security, who first reported it to the OpenSSL team. The researchers worked with the OpenSSL team to fix the problem. The bug afflicts version 1.0.1 and 1.0.2-beta releases of OpenSSL, server software that ships with many versions of Linux and is used in popular Web servers, according to the OpenSSL project's advisory.