Efforts to fix the notorious Heartbleed bug threaten to cause major disruptions to the Internet over the next several weeks as companies scramble to repair encryption systems on hundreds of thousands of websites at the same time, security experts say.

Estimates of the severity of the bug's damage have mounted almost daily since researchers announced the discovery of Heartbleed last week. What initially seemed like an inconvenient matter of changing passwords for protection now appears much more serious. New revelations suggest that skilled hackers can use the bug to create fake websites that mimic legitimate ones to trick consumers into handing over valuable personal information.

The sheer scale of the work required to fix this aspect of the bug — which makes it possible to steal the "security certificates" that verify that a website is authentic — could overwhelm the systems designed to keep the Internet trustworthy.

"Imagine if we found out all at once that all the doors everybody uses are all vulnerable — they can all get broken into," said Jason Healey, a cybersecurity scholar at the Washington-based Atlantic Council.

The Heartbleed bug put many consumers' user names and passwords at risk. Undetected for two years, the bug quietly undermined the basic security of the Internet by leaving a gap in OpenSSL, an encryption technology used widely by businesses to protect sensitive data. By some estimates, the bug affected as much as two-thirds of the Internet; the flaw prompted thousands of web users to change their passwords on Google, Yahoo, Facebook and other major services.


No examples have surfaced of anyone actually exploiting the vulnerability. But on Friday, web services company CloudFlare issued an open challenge to hackers to see if Heartbleed could be used to do something really dangerous — steal the security certificates that prove Google, for instance, is really Google.

CloudFlare's initial tests suggested it was probably impossible for an attacker to steal a site's security certificate and lure visitors to a duplicate that looked and behaved exactly like the real version. (Most browsers, if they detect an invalid security certificate, will block access to the site and warn the user that it may be illegitimate. But with a stolen certificate, a fake site would be allowed to load as if it were the real thing.)

But within nine hours of the challenge's launch — and three hours after he began working on the problem — a hacker named Fedor Indutny became the first to crack the code.

The next step, experts say, is for all 500,000 affected sites — from mom-and-pop retailers to big conglomerates — to revoke their security certificates and issue new ones.