Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library that exists due to a bug in its implementation of the Transport Layer Security (TLS) protocol. OpenSSL is used to both provide and verify the secure connections between webservers and clients.
The security flaw was discovered by Neel Mehta of Google Security and a team of security researchers from Codenomicon, and publicly disclosed on April 7, 2014. The vulnerability can potentially allow sensitive, confidential, or financial information to be stolen or spoofed if it is used on a vulnerable website. The vulnerability was given the name “heartbleed” due to the fact that it affects the “heartbeat” function of OpenSSL, by which clients and more often servers use to keep a connection alive without infinite traffic.
Heartbleed is an OpenSSL feature that was introduced in version 1.0.01 in March of 2012 and it was not exposed until April of 2014. Once a vulnerable server is connected to, the Heartbeat request may be sent as part of the protocol or by an attacker. The request includes an arbitrary payload of data up to 64kb in size and is checked with a response if the data has been received from the server. The Heartbleed flaw allows an attacker to send a heartbeat request with a payload size larger than what is specified in the request. In doing so, the malicious request will not be checked with a response but instead the server will overflow its allocated memory and send back up to 64KB of random server memory.
The vulnerability became extremely widespread due to its ability to exploit popular web servers using OpenSSL to deliver encrypted web connections. Since the announcement, many major companies, including Google, Github, Kayak, Yahoo and Dropbox, have disclosed that they have been affected by the bug.
The Heartbleed bug is now patched on many websites and a typical user should be safe and take an extra step to secure their online accounts. This includes changing passwords that were used during potential attack times and enabling two-factor authentication when available. Users are also encouraged to stay up to date with website security updates and continuously check for news related to Heartbleed and other vulnerabilities.
