One of the most well-known vulnerabilities of the mid-2010’s was called “Heartbleed”. Heartbleed was particularly serious because it the software it affected “OpenSSL”, the main cryptographic library for HTTPS connections, which are very widely used. To make matters worse, the vulnerability had been present in OpenSSL for more than two years before it was discovered, publicised, and patched, which meant a lot of people were using a vulnerable version.
Heartbleed was a data leak vulnerability in the heartbeat extension that when exploited leaked data from RAM from the server to the client. The heartbeat extension is used to maintain a connection between the web server and the client without making a normal page request.
In the case of OpenSSL, the client sends a message to the server and informs the server of how long the message is, up to 64KB. The server is then supposed to echo the same message back. Crucially, however, the server actually didn’t check that the message was as long as the client claimed it was. This meant a client could send a 10KB message, claim it was 64KB and get a 64KB response, with the extra 54KB being comprised of the next 54KB of RAM, no matter what data was stored there. This process is well visualised by the XKCD comic #1354.
Image courtesy of xkcd.com.
By making a lot of small heartbeat requests, and claiming they were large ones, an attacker could build a picture of most of the server’s RAM by piecing the responses together. Data that is stored in RAM that could be leaked includes encryption keys, HTTPS certificates, as well as unencrypted POST data such as usernames and passwords.
Note: It’s less well known but the heartbeat protocol and the exploit also worked in the other direction. A malicious server could have been configured to read up to 64KB of user memory per heartbeat request.
The issue was discovered by multiple security researchers independently on the first of April 2014 and was disclosed privately to OpenSSL so a patch could be created. The bug was publicised when the patch was released on the seventh of April 2014. The best solution to resolve the issue was to apply the patch, but it was also possible to remediate the issue by disabling the heartbeat extension if patching immediately wasn’t an option.
Unfortunately, despite the exploit being public and generally well known, many websites still didn’t update immediately, with the vulnerability still being occasionally found even years later. This led to a number of instances of the exploit being used to gain access to accounts or leak data.