Heartbleed Vulnerability

What is the Heartbleed Vulnerability and How Does it Work?

The Heartbleed bug allows anyone to read the memory of the server and extract its data without any authorisation. What this means is that an attacker could use the bug to steal passwords, credit card information, or other sensitive information from a website. You can think of this as a trick whereby hackers get a hold of your computer’s sensitive data.

The Heartbleed bug is a serious vulnerability that affects most modern web-based applications. It has been around since the end of 2014 but became a lot more famous after hackers exposed it to the masses in April 2016. It’s referred to as an OpenSSL bug and affects almost every website on the internet.

If you aren’t familiar with the term, here’s what you need to know about it. The Internet is made up of billions of servers and websites, each connecting to other sites via their individual network interfaces. For example, when you visit Facebook, your browser connects to that site using its IP address as an identifier. However, if you visit another website using Facebook as an intermediary, this gives hackers access to both your first website and second one without being detected. So basically, any website or app with an insecure connection could be at risk because they share resources with other sites or apps through direct or indirect connections like a CDN or proxy server.

Heartbleed Code  

This loophole exposes the victim in front of hackers due to just 1 line of code, causing the whole issue:

memcpy(bp, pl, payload);

Let us explain the parts of this code to you:

• The memcpy() function is used for data duplication/copying;
• bp is the destination location where the copied data will be kept;
• pl is the source’s address;
• Payload signifies the length of the data to be replicated;

The above code, added to the open-source tool by Robin Seggelman - a developer from Germany, does not restrict the amount of data that the function will copy from the source using the input for the ‘payload’ field. As the function never compares the size of pl and payload, malicious actors can access and copy more data/information than the victim intends to share.

This OpenSSL was revealed by Neel Mehta (from Google), alongside a Finnish company, Codenomicon.

‍

Impact of Heartbleed

When a website or application is vulnerable to Heartbleed, they can be hacked by someone accessing the network interface. This means that your personal information, including passwords and credit cards, could be stolen by hackers. While many of the websites and apps have now patched this vulnerability, there are some open servers still vulnerable.

The impact of Heartbleed has been widespread, as it affects almost every website on the internet. With numerous websites being affected and vulnerabilities being exposed from different vendors (the bug was discovered by an OpenSSL developer), it’s hard to know who to trust when it comes to security.

‍

The Heartbleed vulnerability's impact on OpenSSL

OpenSSL is very widely used throughout the world, and when the Heartbleed issue was detected, it panicked all kinds of its users around the globe. Upon investigation, it was found that this super-famous library was being maintained by just 2 people and the software maintenance budget was really low at this point.

The above did two good things for OpenSSL as well as the open-source community.

• People realized that running an open-source project is tough.

‍

There were just 2 men exhausting their personal income and savings to keep OpenSSL alive. The incident made tech enthusiasts around the world realize that open-source projects should be supported financially as much as possible. For-profit development organizations, on the contrary, decided to help such projects through their development and security resources.

• Financial Help

Considering the impact of Heartbleed, Linux decided to start an initiative named Core Infrastructure Initiative (CII). According to the criticality of projects, CII offers grants and other kinds of help. This program receives donations from the industry’s top businesses.

As there were positives, the event had a negative side too. Let’s explain it to you in detail under the next sub-heading.

‍

The trend of Marketing Bug/Vulnerability-Finding

Heartbleed was not only discovered by Codenomicon in 2014. Google’s team also had knowledge of this issue, and they had forwarded their concerns to the OpenSSL team privately. However, Codenomicon decided to announce the problem publicly. Not just this, but they also turned the crisis into an opportunity to market their business through it.

Seeing the success of their approach, various businesses and individuals took the same path, making it a trend to release the vulnerability details in public. Little did people realize (or care) that this approach is adding a tough time for the developers and giving malicious actors a bigger chance to exploit the loophole.

Sometimes, organizations or people even show their detected vulnerability as a critical finding and create fear among the public, causing issues for product owners/contributors at large.

In an industry where cybercriminals are already smart and developers/experts are already overburdened, such PR events end up creating big problems for security specialists and developers. And hence, it should be handled more responsibly.

‍

The Heartbleed Fix

The above code, exposing OpenSSL to the Heartbleed vulnerability, was fixed by releasing an updated version of the application, i.e. 1.0.1g, in April (2014). Thereafter, all the later versions of the tool comprised the same (patched) code. So, in case you are still using an old OpenSSL version, upgrading to a version beyond 1.0.1g will sort the trouble for you.

Now, if you want to have a look at the Heartbleed fix out of curiosity, we can fulfill your wish effortlessly. After all, it's OpenSSL, which is open-source and available for all. Here you go:

/* It begins with reading data’s type & the length of payload*/

if (1 + 2 + 16 > s->s3->relent)
return 0;

/* Discards, if values do not match */

hbtype = *p++;
n2s(p, payload);

if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0;

/* silently discard per RFC 6520 sec. 4 */

pl = p;

The code snippet now first verifies if the length of the request is 0 KB. If it is, the request is discarded directly, or the Heartbleed may occur. Secondly, the code checks if the payload length actually matches the source or is an attempt to access more-than-required data.

‍

How to Protect Yourself From the Heartbleed Bug

The Heartbleed bug has been around for a while and with good reason. So, how can you protect yourself from this vulnerability?

A good start is to update your software. If you’re using Internet Explorer, Firefox or Chrome, you should update these browsers as soon as possible. If you use Safari, update it to the latest version.

Another way to protect yourself is to change your passwords regularly and use different passwords on different websites. This will reduce the chances of being compromised by hackers who have accessed your account on one site through Heartbleed.

If you think that your website has been compromised by hackers, contact them immediately and avoid clicking any suspicious links in their emails or messages.

What are the Latest Developments in Heartbleed Bug?

The latest developments in the Heartbleed bug are that Facebook has removed the vulnerability on their website, and they have been working with Firefox to change their browser settings. Another development is that Yahoo has reported that they will be releasing an update to fix the bug on May 9th. But there's still no full solution for other sites.

‍

Conclusion

The Heartbleed vulnerability can be fixed by updating your SSL certificate, changing your password and/or changing your website’s URL.