How the Heartbleed Bug Was Discovered
Heartbleed is the new scare on the Internet -- an exploit with such a widespread blast zone that two-thirds of the world's websites are believed to have been vulnerable to the bug. Although Heartbleed flew under the radar for more than two years, four engineers were able to uncover what some are calling the worst Internet exploit ever.
Heartbleed is a fault with one of the Internet's most widely used encryption software, OpenSSL. Heartbleed essentially allows a willing hacker to steal personal information, including financial data, from anything on the Internet with a vulnerable OpenSSL component.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon, the Finnish-based security firm that discovered Heartbleed, wrote on Heartbleed.com.
"We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication," Codenomicon revealed.
The only thing Internet users can do is find out if any web services they use were open to Heartbleed attacks and change their passwords.
So how exactly was Heartbleed discovered?
Codenomicon engineers Antti Karjalainen, Riku Hietamäki, and Matti Kamunen and Google security's Neel Mehta are the four credited with discovering the Heartbleed exploit. According to Karjalainen, he and Hietamäki were testing some new features for Codenomicon's protocol test suite with a feature called Heartbeat, which sends data between servers to see if it comes back unaltered. After noticing some irregularities in the results, the engineers then probed further with tests that would reveal Heartbleed.
"We were in the right place with the right tool," Karjalainen said in a Business Insider article. "It worked just as we feared. The server dumped the requested amount of its memory. When we investigated the response closer ... we soon understood that this is potentially a very, very bad vulnerability."
Codenomicon security specialist Marko Laakso then noticed that their test protocol suite's Open SSL was trickling private keys onto the Internet.
"The private keys are the crown jewels of the secure Internet," Karjalainen said. "They are used for proving that you are who you really say you are. So this was potentially the worst vulnerability in the history of the Internet."
Although the Heartbleed problem went undetected for two years, many agree that most hackers did not know about it until it was revealed on earlier this week. For those affected, it's best to change passwords and not use the same one across multiple sites.
You can find out which sites were affected by Heartbleed here.