When I shared the previous post on Facebook, some people and experts commented warning it is not advisable to change all your passwords now. Here you can find some of the comments
“As a professional security consultant, please take my advice – do NOT change your passwords until AFTER the site has been patched (and do not login until it is patched).”
“There’s a need for more serious approach to spreading awareness about password protection. It’s unbelievable how many people use 123456 as a password. Regardless of bugs or viruses or crashes – always change your password at least every 3 months.”
“The reality is that if you haven’t used a particular site in sometime, the risk is nearly impossible that they have grabbed your password.
Why? This bug allows an attacker to grab a chunk of the active memory from affected systems. If you are logging in/changing your password/authenticating/uploading files then your sensitive data is in ACTIVE MEMORY because you are an ACTIVE user. However the opposite is also true, if you aren’t an active user then there is no way they can grab your sensitive data because it isn’t going to be in memory. Your service provider should also replace all their SSL certificates because the funny thing about systems running SSL is that while SSL is running sensitive things like its keys are in ACTIVE MEMORY and therefore at risk of being exposed. Again the odd are low but its a credible risk and therefore changing out the certificates is prudent.”
The Guardian has also published an article yesterday stating again not to rush:
“But suggestions by Yahoo and the BBC that people should change their passwords at once – the typical reaction to a security breach – could make the problem worse if the web server hasn’t been updated to fix the flaw, says Mark Schloesser, a security researcher with Rapid7, based in Atlanta, Georgia.
Doing so “could even increase the chance of somebody getting the new password through the vulnerability,” Schloesser said, because logging in to an insecure server to change a password could reveal both the old and new passwords to an attacker.”
To settle things once and for all, you can use this website (as suggested by one of our followers) to check whether your server is vulnerable or not.
It’s not our area of expertise, but thanks to the comments of experts and people concerned who share with their opinions, we were able to give you more information.