Skip to content ↓ | Skip to navigation ↓

Researchers have now confirmed that exploit code targeting the Heartbleed bug (CVE-2014-0160) affecting some versions of OpenSSL can coax a vulnerable server to leak enough data stored in memory to be able to fully reconstruct private encryption keys, exposing sensitive data and communications.

On Friday April 11th, CloudFlare announced the Heartbleed Challenge in which they set up an nginx server complete with a vulnerable version of OpenSSL, and then challenged security researchers to steal the private key.

“The world was up to the task: two people independently retrieved private keys using the Heartbleed exploit,” CloudFlare announced.

“The first valid submission was received at 16:22:01PST by Software Engineer Fedor Indutny. He sent at least 2.5 million requests over the course of the day. The second was submitted at 17:12:19PST by Ilkka Mattila at NCSC-FI, who sent around a hundred thousand requests over the same period of time,” the company stated.

“Two more confirmed winners: Rubin Xu, PhD student in the Security group of Cambridge University submitted at 04:11:09PST on 04/12; and Ben Murphy, Security Researcher submitted at 7:28:50PST on 04/12.”

These findings confirm what had previously only been speculated: That attackers can exploit the Heartbleed vulnerability and successfully monitor encrypted data passed between a service and client, and even decrypt historical data that was previously collected.

“This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability,” CloudFlare’s Nick Sullivan said.

OpenSSL runs atop two of the most widely used Web servers, Apache and nginx, as well as email servers (SMTP, POP and IMAP protocols), chat services (XMPP protocol), virtual private networks (SSL VPNs) and other software that use the OpenSSL code library.

“The bad news is that [discovery] changes our recommendation from: reissue and revoke as a medium priority to reissue and revoke as a high priority,” said Matthew Prince, CEO of CloudFlare. “We’ve accelerated our own reissuance and revocation process.”

Read More Here…