Heartbleed is a vulnerability in the OpenSSL cryptographic library. The vulnerability is present in sites powered by OpenSSL versions 1.0.1 through 1.0.1f, and has affected more than 500,000 sites. This bug enables hackers to capture names and passwords, steal credit card data, and eavesdrop on communications. According to an advisory from Carnegie Mellon University’s CERT, the sensitive information that may be retrieved using this vulnerability includes primary key material (secret keys), secondary key material (user names and passwords used by vulnerable services), protected content (sensitive data used by vulnerable services)
and collateral (memory addresses and content that can be leveraged to bypass exploit mitigations).
Heartbleed exploits a built-in feature of OpenSSL called heartbeat. When your computer accesses a website, the website will send a “Heartbeat Request” message, consisting of a text string with length say 16-bit integer. The receiving computer then must send the exact same data back to the sender. The affected versions (1.0.1 through 1.0.1f) of OpenSSL allocate a memory buffer for the message to be returned based on the length field in the requesting message, without regard to the size of actual data in that message. Because of this failure to do proper bounds checking, the message returned consists of the requested data followed by whatever else happened to be in the allocated memory buffer. As a result, the oversized memory buffer returned to the requester was likely to contain data from memory blocks that had been previously requested and freed by OpenSSL. Such memory blocks may contain sensitive data sent by users or even the private keys used by OpenSSL.
After the discovery of the bug, the OpenSSL software was rapidly patched. And as far you are concerned, you should definitely change your passwords at least for the services confirmed as vulnerable and have now been fixed, such as Google and Yahoo. This password changing recommendation is nothing but a precaution, because even if hackers knew about the problem, the chances of them getting your password, and being able to match up that data to your username are pretty slim. Some people claim that the encryption certificates for servers could have been stolen, but the company CloudFlare has said it’s very difficult to do so. It published a challenge to whoever could steal this key, and it appears that someone did, during a server reboot. Regardless of the probability, companies are changing encryption keys so new data is not vulnerable if somebody was able to obtain the old keys.
