Nicknamed Heartbleed, people can understand from its scary name that its intentions aren't at all good. It's no surprise that it has exposed millions of usernames, passwords and credit card numbers. The data is something that hackers could have exploited during the more than two years the bug went undetected.
The bug that gets its name from OpenSSL's implementation of the TLS/DTLS Heartbeat Extension (RFC6520), has left large amount of private keys and other secrets exposed to the internet. This bug can reveal up to 64 kilobytes of the application's memory with every periodic signals (heartbeat).
Considering the long exposure, ease of exploitation and attacks leaving no trace, Heartbleed that has the CVE (Common Vulnerabilities and Exposures) number CVE-2014-0160, is bug should be taken seriously.
A team of security engineers (Riku, Antti and Matti) from a Finnish security firm Codenomicon, and Neel Mehta of Google Security, were the ones that discovered the bug. Codenomicon team found heartbleed bug while improving the SafeGuard feature in Codenomicon's Defensics security testing tools. When they found Heartbleed, the team reported the bug to the NCSC-FI for vulnerability coordination. The NCSC-FI then took the task of reaching out to the authors of OpenSSL software, operating system and appliance vendors, which were potentially affected.
Heartbleed was introduced to OpenSSL in December 2011 and has been out since OpenSSL released version 1.0.1 on March 14th 2012. The bug affected OpenSSL 1.0.1 through 1.0.1f. Since OpenSSL 1.0.1g was released on April 7th 2014, the bug was fixed.
The Heartbleed bug is a vulnerability in the OpenSSL cryptographic software library. OpenSSL encrypts data, including passwords and personal information, when it travels to a server. This is supposed to keep hackers from eavesdropping. The bug sends malformed 'heartbeat' requests to the server in order to asnwer the server's memory response. Due to a lack of bounds checking, vulnerable OpenSSLs never verify whether the heartbeat request was valid or not. This allows attackers to bring about inappropriate server responses.
Most notable software using OpenSSL are web servers like Apache and nginx that both penetrated the internet for a total of 66 percent according to Netcraft's April 2014 Web Server Survey. The bug is not like any other revealed weaknesses because the bug is actually designed to keep servers secure. This is why experts were calling the Heartbleed the worst bug yet that internet users should worry about - especially those that frequently use the web to conduct business.
Heartbleed is a weakness that allows information stealing, that under normal conditions, by the SSL/TLS encryption used to secure the internet. With 66 percent penetration, internet users are likely to be affected by the bug, directly or indirectly. This is because OpenSSL is the most popular open source cryptographic library and TLS implementation is the one that used to encrypt traffic on the web. Social media sites, company's sites, e-commerce sites, even government sites might be using vulnerable OpenSSL. And furthermore, OpenSSL is also used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client-side software.
When the bug was first discovered, at least 500,000 servers were vulnerable.
"I would classify it as possibly the top bug that has hit the internet that I've encountered, because of it being so widespread, because it's so hard to detect," says Andy Grant, a Security Analyst at iSEC Partners.
The bug allows anyone on the internet to read the memory of the system that uses the vulnerable versions of the OpenSSL software. The bug can reveal the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications and steal the data directly from the services.
"You should care about this because - whether you realize it or not - a hell of a lot of the security infrastructure you rely on is dependent in some way on OpenSSL," Matthew Green, a cryptographer and research Professor at Johns Hopkins University, said on his blog. "This includes many of the websites that store your personal information. And for better or for worse, industry's reliance on OpenSSL is only increasing."
As the most serious security flaw uncovered in recent years, Heartbleed expose encryption keys. If hackers get their hands on them, they can use those keys to impersonate servers, fool browser’s built-in security checks, or decrypt communications. This is like giving a thief the key to your front door.
Although the fix was circulated, it was unclear how quickly and widely it was being implemented. An analysis posted the top 1000 most visited websites as of April 8th, 2014 and revealed vulnerabilities in sites including Yahoo!, Imgur, Flickr, OkCupid, StackOverflow, Slate, and DuckDuckGo. Safe sites included Google, Facebook, Wikipedia, Twitter, and Amazon.
Codenomicon created the Heartbleed website to answer questions about the bug.