• Skip to main content
  • Skip to primary sidebar

Technipages

Smart phone, gadget and computer tutorials

  • Topics
    • Android
    • Gaming
    • Hardware
    • Internet
    • iOS
    • MacOS
    • Office
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
What Is the Heartbleed Vulnerability?

What Is the Heartbleed Vulnerability?

Posted on November 13, 2020 by Mel Hawthorne Leave a Comment

One of the most well-known vulnerabilities of the mid-2010’s was called “Heartbleed”. Heartbleed was particularly serious because it the software it affected “OpenSSL”, the main cryptographic library for HTTPS connections, which are very widely used. To make matters worse, the vulnerability had been present in OpenSSL for more than two years before it was discovered, publicised, and patched, which meant a lot of people were using a vulnerable version.

Heartbleed was a data leak vulnerability in the heartbeat extension that when exploited leaked data from RAM from the server to the client. The heartbeat extension is used to maintain a connection between the web server and the client without making a normal page request.

In the case of OpenSSL, the client sends a message to the server and informs the server of how long the message is, up to 64KB. The server is then supposed to echo the same message back. Crucially, however, the server actually didn’t check that the message was as long as the client claimed it was. This meant a client could send a 10KB message, claim it was 64KB and get a 64KB response, with the extra 54KB being comprised of the next 54KB of RAM, no matter what data was stored there. This process is well visualised by the XKCD comic #1354.

Image courtesy of xkcd.com.

By making a lot of small heartbeat requests, and claiming they were large ones, an attacker could build a picture of most of the server’s RAM by piecing the responses together. Data that is stored in RAM that could be leaked includes encryption keys, HTTPS certificates, as well as unencrypted POST data such as usernames and passwords.

Note: It’s less well known but the heartbeat protocol and the exploit also worked in the other direction. A malicious server could have been configured to read up to 64KB of user memory per heartbeat request.

The issue was discovered by multiple security researchers independently on the first of April 2014 and was disclosed privately to OpenSSL so a patch could be created. The bug was publicised when the patch was released on the seventh of April 2014. The best solution to resolve the issue was to apply the patch, but it was also possible to remediate the issue by disabling the heartbeat extension if patching immediately wasn’t an option.

Unfortunately, despite the exploit being public and generally well known, many websites still didn’t update immediately, with the vulnerability still being occasionally found even years later. This led to a number of instances of the exploit being used to gain access to accounts or leak data.

You Might Also Like

  • What Is the Shellshock Vulnerability?
    What Is the Shellshock Vulnerability?

Filed Under: Internet

Reader Interactions

Did this help? Let us know! Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Group Open Tabs on Chrome
  • Dropbox: How To Review Your Security Settings
  • Teams: Disable All Chat Notifications During Meetings
  • Microsoft Teams: Share to Outlook Not Working
  • Teams: Manage External Access With PowerShell
  • VR Oculus Quest 2: What Is Hand Tracking?
  • Microsoft Teams: How to Enable NDI Streaming
  • Microsoft Teams: Enable Background Effects and Blur

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

Follow me on Twitter, or visit my personal blog.

You May Also Like

© Copyright 2021 Technipages · All Rights Reserved · Privacy