The Heartbleed Bug is a major vulnerability in the popular and widely used OpenSSL cryptographic libraries, which is used by millions of websites. But what is this bug and how can we protect ourselves from hackers?
This article will provide you with everything you need to know about the HeartbleED vulnerability. We will discuss what it is, its dangers, how to check if your website has been affected by this bug, as well as how to protect yourself against future attacks.
What is the Heartbleed Vulnerability and How Does it Work?
The Heartbleed bug allows anyone to read the memory of the server and extract its data without any authorisation. What this means is that an attacker could use the bug to steal passwords, credit card information, or other sensitive information from a website. You can think of this as a trick whereby hackers get a hold of your computer’s sensitive data.
The Heartbleed bug is a serious vulnerability that affects most modern web-based applications. It has been around since the end of 2014 but became a lot more famous after hackers exposed it to the masses in April 2016. It’s referred to as an OpenSSL bug and affects almost every website on the internet.
If you aren’t familiar with the term, here’s what you need to know about it. The Internet is made up of billions of servers and websites, each connecting to other sites via their individual network interfaces. For example, when you visit Facebook, your browser connects to that site using its IP address as an identifier. However, if you visit another website using Facebook as an intermediary, this gives hackers access to both your first website and second one without being detected. So basically, any website or app with an insecure connection could be at risk because they share resources with other sites or apps through direct or indirect connections like a CDN or proxy server.
This loophole exposes the victim in front of hackers due to just 1 line of code, causing the whole issue:
memcpy(bp, pl, payload);
Let us explain the parts of this code to you:
The memcpy() function is used for data duplication/copying;
bp is the destination location where the copied data will be kept;
pl is the source’s address;
Payload signifies the length of the data to be replicated;
The above code, added to the open-source tool by Robin Seggelman - a developer from Germany, does not restrict the amount of data that the function will copy from the source using the input for the ‘payload’ field. As the function never compares the size of pl and payload, malicious actors can access and copy more data/information than the victim intends to share.
This OpenSSL was revealed by Neel Mehta (from Google), alongside a Finnish company, Codenomicon.
Impact of Heartbleed
When a website or application is vulnerable to Heartbleed, they can be hacked by someone accessing the network interface. This means that your personal information, including passwords and credit cards, could be stolen by hackers. While many of the websites and apps have now patched this vulnerability, there are some open servers still vulnerable.
The impact of Heartbleed has been widespread, as it affects almost every website on the internet. With numerous websites being affected and vulnerabilities being exposed from different vendors (the bug was discovered by an OpenSSL developer), it’s hard to know who to trust when it comes to security.
The Heartbleed vulnerability's impact on OpenSSL
OpenSSL is very widely used throughout the world, and when the Heartbleed issue was detected, it panicked all kinds of its users around the globe. Upon investigation, it was found that this super-famous library was being maintained by just 2 people and the software maintenance budget was really low at this point.
The above did two good things for OpenSSL as well as the open-source community.
People realized that running an open-source project is tough.
There were just 2 men exhausting their personal income and savings to keep OpenSSL alive. The incident made tech enthusiasts around the world realize that open-source projects should be supported financially as much as possible. For-profit development organizations, on the contrary, decided to help such projects through their development and security resources.
Considering the impact of Heartbleed, Linux decided to start an initiative named Core Infrastructure Initiative (CII). According to the criticality of projects, CII offers grants and other kinds of help. This program receives donations from the industry’s top businesses.
As there were positives, the event had a negative side too. Let’s explain it to you in detail under the next sub-heading.
The trend of Marketing Bug/Vulnerability-Finding
Heartbleed was not only discovered by Codenomicon in 2014. Google’s team also had knowledge of this issue, and they had forwarded their concerns to the OpenSSL team privately. However, Codenomicon decided to announce the problem publicly. Not just this, but they also turned the crisis into an opportunity to market their business through it.
Seeing the success of their approach, various businesses and individuals took the same path, making it a trend to release the vulnerability details in public. Little did people realize (or care) that this approach is adding a tough time for the developers and giving malicious actors a bigger chance to exploit the loophole.
Sometimes, organizations or people even show their detected vulnerability as a critical finding and create fear among the public, causing issues for product owners/contributors at large.
In an industry where cybercriminals are already smart and developers/experts are already overburdened, such PR events end up creating big problems for security specialists and developers. And hence, it should be handled more responsibly.
The Heartbleed Fix
The above code, exposing OpenSSL to the Heartbleed vulnerability, was fixed by releasing an updated version of the application, i.e. 1.0.1g, in April (2014). Thereafter, all the later versions of the tool comprised the same (patched) code. So, in case you are still using an old OpenSSL version, upgrading to a version beyond 1.0.1g will sort the trouble for you.
Now, if you want to have a look at the Heartbleed fix out of curiosity, we can fulfill your wish effortlessly. After all, it's OpenSSL, which is open-source and available for all. Here you go:
/* It begins with reading data’s type & the length of payload*/
if (1 + 2 + 16 > s->s3->relent)
/* Discards, if values do not match */
hbtype = *p++;
if (1 + 2 + payload + 16 > s->s3->rrec.length)
/* silently discard per RFC 6520 sec. 4 */
pl = p;
The code snippet now first verifies if the length of the request is 0 KB. If it is, the request is discarded directly, or the Heartbleed may occur. Secondly, the code checks if the payload length actually matches the source or is an attempt to access more-than-required data.
How to Protect Yourself From the Heartbleed Bug
The Heartbleed bug has been around for a while and with good reason. So, how can you protect yourself from this vulnerability?
A good start is to update your software. If you’re using Internet Explorer, Firefox or Chrome, you should update these browsers as soon as possible. If you use Safari, update it to the latest version.
Another way to protect yourself is to change your passwords regularly and use different passwords on different websites. This will reduce the chances of being compromised by hackers who have accessed your account on one site through Heartbleed.
If you think that your website has been compromised by hackers, contact them immediately and avoid clicking any suspicious links in their emails or messages.
What are the Latest Developments in Heartbleed Bug?
The latest developments in the Heartbleed bug are that Facebook has removed the vulnerability on their website, and they have been working with Firefox to change their browser settings. Another development is that Yahoo has reported that they will be releasing an update to fix the bug on May 9th. But there's still no full solution for other sites.
The Heartbleed vulnerability can be fixed by updating your SSL certificate, changing your password and/or changing your website’s URL.
What is Heartbleed vulnerability?
Heartbleed vulnerability is a security flaw in the OpenSSL cryptography software library. It allows hackers to access sensitive information like passwords and credit card details from servers.
How does Heartbleed Work?
Heartbleed sends a request to the server for information, and it returns not only the requested data but also previously stored data that was supposed to be protected. This allows hackers to extract confidential information.
Am I affected by Heartbleed vulnerability?
If the website uses OpenSSL 1.0.1 to 1.0.1f (inclusive), then it’s vulnerable. You can check the status of a website by entering its URL on various online Heartbleed vulnerability checkers.
How can I protect myself from Heartbleed vulnerability?
The best solution is to change your passwords and contact the customer service of the affected websites. Always use strong passwords and enable two-factor authentication when available.
Can Heartbleed affect my mobile devices?
Yes, Heartbleed vulnerability can affect mobile devices as well, especially those running Android 4.1.1 Jelly Bean. It is important to keep your mobile devices updated and avoid using unsecured Wi-Fi networks. (source: Forbes)