Home >> Sci & Tech

Google accused of taking too long to report Heartbleed bug

Google accused of taking too long to report Heartbleed bug

Security experts have alleged that Google put its corporate interests before global internet users' security by waiting too long to report the serious Heartbleed security bug to the open-source project whose software contained the critical error.

It is alleged that Google knew about the Heartbleed encryption flaw on or before March 21 in the US, and withheld it from rivals such as Yahoo, according to a report.

Many experts say that Google privately told select companies about the bug before OpenSSL. This has angered many in security circles, whose software contained the bug and is used by half a million websites globally to encrypt internet traffic.

Heartbleed, the security bug, has impacted the security of millions of online accounts and resulted in worldwide panic among website owners and users. The bug was disclosed publicly last week. Many security experts have recommended that users reset their passwords for large sites since the bug was reported.

When the flaw was made public by OpenSSL for up to 48 hours, Yahoo's online services ? such as photo site Flickr, Yahoo Mail and Yahoo web search were still vulnerable, as were many other websites, operating system distributions and device manufacturers.

The companies that Google did not inform before the public disclosure include Amazon Web Services, Twitter, Yahoo, Ubuntu, Cisco, Juniper, Pinterest, Tumblr, GoDaddy, Flickr, Minecraft and CERT Australia, just to name a few.

Those who got a heads up before public disclosure include Facebook, content distribution networks Akamai and CloudFlare, and a small number of open-source operating system distributions ? such as SuSE and FreeBSD - that responded to an email from Linux distribution Red Hat early on April 7.

It is believed that Google did not see the bug being exploited in the wild, although the US Electronic Frontiers Foundation has since come out with information that suggests that in at least one case it may have been exploited since November last year.