A newly discovered OpenSSL bug called Cupid could allow attackers to strip Web connections of encryption, and it has likely been around for more than a decade.
On Thursday, the OpenSSL Foundation confirmed that it had been informed of the flaw and has issued a patch. The nonprofit’s encryption service is used by the majority of the Internet’s SSL servers. OpenSSL is the same software affected by the Heartbleed bug, which was able to pluck the encryption keys that companies use to protect consumers’ data directly from the companies themselves.
According to a blog post by Masashi Kikuchi, the Japanese researcher who discovered the latest flaw, the bug’s roots have existed in the software since it was first released in 1998. It targets part of OpenSSL’s “handshake” that establishes encrypted connections, called ChangeCipherSpec, and forces the server and computer into performing the handshake using weak encryption keys. Those keys can be exploited to decrypt the data (login information, for example) and read what is being transmitted.
But unlike Heartbleed, which let anyone directly attack any server that used OpenSSL, the attacker using the Cupid bug would need to be located along the path of communication between the two targeted computers, and both computers would need to be using OpenSSL. Though that limits the scenarios in which Cupid could be used, one possible point of entry for an attacker is an open wireless network, according to PC Magazine.
Macs, Windows boxes and iOS devices aren’t affected, but Android 4.1.0 and 4.1.1 both use a vulnerable version of OpenSSL, so users should avoid connecting to open Wi-Fi networks until they update their Android software.