4
The Heartbleed Bug

The Heartbleed Bug

Updated Aug 29, 2018 at 03:38AM EDT by Y F.

Added Apr 11, 2014 at 02:34PM EDT by Avocat.

PROTIP: Press 'i' to view the image gallery, 'v' to view the video gallery, or 'r' to view a random entry.

This submission is currently being researched & evaluated!

You can help confirm this entry by contributing facts, media, and other evidence of notability and mutation.


Overview

The Heartbleed Bug is a glitch found in OpenSSL, a widely used open-source cryptography software, that allows exploiters to infiltrate any of its host systems and gain access to private data of millions of Internet users. After its initial discovery and announcement in April 2014, Heartbleed quickly became a hot topic in the coding community and tech blogosphere, most notably due to its widespread impact and extended length of exposure.

Background

On April 7th, 2014, Google Security researcher Neel Mehta reported a bug in all versions of OpenSSL in the 1.0.1 series that could leak encrypted data from the application's host memory. The cause has been identified as a result of an erroneous request handling in the implementation of the Transport Layer Security's Heartbeat Extension, a protocol used to keep a TLS connection alive after it has been established, without needing to transmit meaningful information. The Heartbeat protocol works by sending a Heartbeat request message with arbitrary data of up to 64 Kibibyte to a server and receiving a response message with an exact copy of the payload [7]. Due to a programming mistake in OpenSSL an attacker could exploit the Heartbeat Extension by falsifying the length figure of its query; for example, if a user reports the maximum length figure of 64 KiB for an actual data transmission of 1 KiB, the host would return the original query (1 KiB) to the sender and compensate for the remainder of the fraudulent claim with 63 KiB of data taken from the active memory of the Server on which OpenSSL is running. The non-arbitrary data returned by the server could contain any kind of sensitive information, ranging from user information like passphrases to sensitive documents or even the secret encryption keys themselves [5].

Notable Developments

The bug is registered in the Common Vulnerabilities and Exposures system as CVE-2014-0160. While the bug was announced on April 10th, 2014, audit logs indicate that it was known for about five months prior to re-discovery. There is a site that allows user to enter a URL and check if the link is safe from the bug (URL needed) and an official image has been created to help spread awareness.

List of Affected (and Recovered) Sites

Since the discovery of the bug, most affected sites have patched the issue.

Akamai Technologies
Amazon Web Service
Ars Technica
Bitbucket
BrandVerity
GitHub
IFTTT
PeerJ
SoundCloud
SourceForge
SparkFun
Stripe (company)
Tumblr
Wattpad
Wikimedia (including Wikipedia)
Wunderlist
Steam community
Reddit

Search Interest

External References

[1] OpenSSL – OpenSSL Security Advisory [07 Apr 2014]

[2] StackExchange – How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?

[3] Common Vulnerabilities and Exposures – CVE-2014-0160

[4] Troy Hunt – Everything you need to know about the Heartbleed SSL bug

[5] Heartbleed.com – The Heartbleed Bug

[6] BBC – Heartbleed bug: What you need to know

[7] Standard RFC 6520 – Heartbeat TLS Extension

Recent Videos 1 total

     

Recent Images 2 total

   

Top Comments


+ Add a Comment

Comments (14)


Display Comments

Add a Comment


Howdy! You must login or signup first!