The Heartbleed vulnerability first publicly disclosed on April 7 continues to be a threat to the security of the Internet a week after the first patches were released. The latest twists in the Heartbleed saga include a public disclosure from the Canadian Tax Revenue agency that information was stolen from Canadian taxpayers due to Heartbleed. Additionally, a new report claims that 50 million Android devices are still at risk from the Heartbleed flaw.
The Heartbleed flaw is technically a security vulnerability in the open-source OpenSSL cryptographic library that provides SSL encryption capabilities. OpenSSL is widely deployed within Linux technology and Websites, including the Website of the Canada Revenue Agency (CRA).
In a statement on its Website, the CRA noted that it shut down online tax filing services on April 8 when it first became aware of the Heartbleed bug. Unlike the United States, where the personal tax filing deadline is April 15, Canadians typically have until April 30 to file their taxes. The CRA Website was shut down from April 8 until April 13 as a direct impact of the Heartbleed flaw. The CRA is now extending the tax filing deadline until May 5.
The CRA also has publicly admitted that approximately 900 Canadian taxpayers were directly impacted by the flaw. The CRA notes in a statement that prior to the shutdown of the tax Website, there was a 6-hour period during which the site was under attack by hackers looking to exploit the Heartbleed bug.
“Based on our analysis to date, Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability,” Andrew Treusch, commissioner for the CRA, said in a statement. “We are currently going through the painstaking process of analyzing other fragments of data, some that may relate to businesses, that were also removed.”
Android
While Websites around the world have scrambled to implement a patch for the Heartbleed flaw, it’s also a vulnerability that impacts Google’s Android mobile users. While Google has issued some patches for its products and services, Android 4.1 remains at risk.
The Android 4.1 “Jelly Bean” mobile operating system was released back in 2012, though it is still widely deployed today, with as many as 50 million users worldwide.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.