This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Heartbleed flaw threatens millions of websites

Share this article:

Systems admins are being warned of a "potentially disastrous" security flaw that allows hackers to steal data from millions of websites worldwide without leaving a trace.

Heartbleed flaw threatens millions of websites
Heartbleed flaw threatens millions of websites

The so-called ‘Heartbleed' bug (CVE-2014-0160) was revealed by researchers from Finnish security firm Codenomicon and Google in an 7 April advisory . It compromises the OpenSSL security system used to protect many of the world's websites.

The bug, which has been in the wild for around two years, lets attackers steal what the researchers call the “crown jewels” – the website encryption keys which allow them to impersonate the administrators and steal any past and future traffic passing through the site.

The researchers say attackers can capture “anything worth encrypting”, including user passwords, financial details, emails and secret documents.

They explain: “We attacked ourselves from outside, without leaving a trace. We were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business-critical documents and communication.”

The flaw is called ‘Heartbleed' because it comes from a programming mistake in OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) ‘heartbeat' extension. It affects websites using OpenSSL 1.0.1 through to version 1.0.1f.

Website administrators have been urged to upgrade to the newly released OpenSSL 1.0.1g which patches the bug.

Explaining how widespread the vulnerability is, the researchers say OpenSSL is used in Apache and nginx web servers. These host more than 500 million websites, according to net monitoring firm Netcraft, though it is unclear how many of these servers use the affected software versions.

The researchers says OpenSSL is also used to protect email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and a wide variety of client-side software.

Jaime Blasco, director of AlienVault Labs, said his firm has tested different websites and as an example, Yahoo.com is vulnerable to the attack.

Security expert Paul Stone, senior consultant at Context Information Security, confirmed the scale of the threat. He told SCMagazineUK.com via email: “This is an extremely serious vulnerability that affects a large portion of HTTPS-enabled web servers. It's much easier to exploit compared to other recent SSL/TLS-related vulnerabilities because it doesn't require a man-in-the-middle scenario; an attacker can connect directly to any web server running unpatched versions of the OpenSSL software and read portions of the server's memory.”

Kaspersky Lab senior researcher David Emm agreed, telling SCMagazineUK.com via email: “The existence of the CVE-2014-0160 vulnerability is clearly important. OpenSSL is widely used to secure internet-based communications – web, email, IM and VPN. If exploited, this vulnerability would allow an attacker to read the memory of vulnerable systems. They could intercept any sensitive information – including, but not limited to, user names and passwords, for example, in order to assume the identity of a website provider or its customers.”

Paul Stone added: “Since this attack is so easy to carry out and exploit code is already available, it is certain that sensitive data is being stolen from thousands of websites by skilled and unskilled attackers alike. Website operators should follow advice to patch their servers, update their encryption keys and monitor for compromised user accounts and data.

“The only slight upside is that the attacker has no control over what data is read – therefore, it is difficult to target a particular user's data or password using this attack.”

Tim (TK) Keanini, CTO of Lancope, said the whole issue was “a mess” and explained how badly users are affected.

He told SCMagazineUK.com via email: "This is one of the most major vulnerabilities to happen this year and it will be with us for quite some time as everyone who is vulnerable will need to remediate.

“Most if not all of the major websites are aware and have fixed this problem – that is not the major concern. The major concern is everyone else who is affected by this bug as it does not just apply to websites and most have no idea they are at risk.

“It is not easy for most people to know what version they are running and if this is built into a router or embedded device, chances are very slim they will ever know. The attacker will also leave no logs when they perform their attack. What a mess - and these messes are a normal part of the internet.”

The Codenomicon and Google researchers say intrusion detection and prevention systems (IDS/IPS) can be trained to detect use of the heartbeat request, by comparing the size of the request against the size of the reply. “Use of Perfect Forward Secrecy (PFS), which is unfortunately rare but powerful, should protect past communications from retrospective decryption,” they add.

And they say one bright side is: “Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well.”

More details of fixes and patches for Heartbleed are provided by the US SANS security research organisation .

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

StubHub ticketing agency taken for a million pounds

StubHub ticketing agency taken for a million pounds

Police around the world have arrested seven people - thought to have been tied into an international fraud ring - that allegedly defrauded the eBay-owned StubHub online ticketing service of ...

DDoS attacks grow as first DIY kits emerge

DDoS attacks grow as first DIY kits emerge

The latest report from Akamai Technologies has revealed another increase in DDoS attacks and the resurgence of botnets to carry out server-based attacks.

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.