Tuesday, 15 April 2014

Everything you need to know about the Heartbleed bug - PART 3

Who discovered the vulnerability?

It was discovered independently by researchers at Codenomicon and Google Security. Codenomicon created a user-friendly website about the vulnerability, helping to rapidly spread awareness.
To minimize the damage from the disclosure, the researchers worked with the OpenSSL team and other key insiders to prepare fixes before the problem was announced publicly.


How did the Heartbleed bug get added to OpenSSL?

The flawed code was added to the experimental version of SSL at the end of 2011 and released to the public in March 2012. The flawed software patch was submitted by a German man named Robin Seggelmann.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he told the Sydney Morning Herald. "In one of the new features, unfortunately, I missed validating a variable containing a length."
The submission was reviewed by an OpenSSL developer, but neither man noticed that the code could be exploited to trick servers into leaking the contents of memory.



Has anyone actually exploited the Heartbleed vulnerability?

We don't know. Security researchers have built proof-of-concept software to exploit the Heartbleed Bug. But so far, there have been no confirmed cases of malicious parties using the bug to steal user data.
However, that doesn't mean it's not happening. For the next few days, people will be on the lookout for suspicious activity. So hackers who steal users' passwords, credit card numbers, and other private data might decide to lie low for a while before trying to take advantage of this information. And when they do, we might not know if they got the information through a Heartbleed attack or some other tactic.

No comments:

Post a Comment