# The Heartbleed Bug



## Allu Azad (Apr 8, 2014)

I am surprised that this hasn't been posted here yet.

Heartbleed Bug

Test your server for Heartbleed (CVE-2014-0160)




> The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).


----------



## Superayush (Apr 8, 2014)

When I first read the the title I though it's some serious new threat to human heart...phew...


----------



## arijitsinha (Apr 8, 2014)

Steam have not issued a fix on it yet. So be careful(better refrain from using) while accessing any steam services, like example which requires you to login through openssl.


----------



## Vyom (Apr 8, 2014)

Complete list of the sites which were tested against this vulnerability:

*github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt

These sites are vulnerable:



Spoiler



yahoo.com
imgur.com
stackoverflow.com
kickass.to
flickr.com
redtube.com
sogou.com
adf.ly
outbrain.com
archive.org
addthis.com
stackexchange.com
popads.net
avito.ru
kaskus.co.id
web.de
suning.com
zeobit.com
beeg.com
seznam.cz
okcupid.com
pch.com
xda-developers.com
steamcommunity.com
slate.com
scoop.it
hidemyass.com
123rf.com
m-w.com
dreamstime.com
amung.us
leo.org
eventbrite.com
wetransfer.com
sh.st
entrepreneur.com
zoho.com
yts.re
usmagazine.com
fool.com
digitalpoint.com
picmonkey.com
petflow.com
squidoo.com
avazutracking.net
elegantthemes.com
500px.com



Surprised to see following sites still vulnerable!
stackoverflow.com
xda-developers.com
steamcommunity.com


----------



## amjath (Apr 9, 2014)

Vyom said:


> Complete list of the sites which were tested against this vulnerability:
> 
> *github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
> 
> ...



It contains many site which I often use


----------



## bssunilreddy (Apr 9, 2014)

Superayush said:


> When I first read the the title I though it's some serious new threat to human heart...phew...



Superb man...


----------



## arijitsinha (Apr 9, 2014)

Is there any misuse identified. I don't care about the passwords, but what I am really worried is Card details.


----------



## anirbandd (Apr 10, 2014)

Superayush said:


> When I first read the the title I though it's some serious new threat to human heart...phew...



well, it is, once you think about it.. 



Spoiler



you see, if a black hat gets your login and transact credentials when you log in to your bank [thankfully there are no bank sites in that list  ], then he can quite easily get all your money.

then when you get sms'es the transactions, you may get a threat to your heart. 



Spoiler



just jokin! 


Spoiler



or am i??


----------



## harshilsharma63 (Apr 10, 2014)

Why is is called 'heartbleed', though it sounds pretty cool?


----------



## Superayush (Apr 10, 2014)

anirbandd said:


> well, it is, once you think about it..
> 
> 
> 
> ...



Hey but for online transaction don't u require a unique pin/OTP so hacker actually cannot really misuse ur stored info


----------



## a_k_s_h_a_y (Apr 10, 2014)

harshilsharma63 said:


> Why is is called 'heartbleed', though it sounds pretty cool?



leaks out data from the RAM.. the heart of the system ?


----------



## flyingcow (Apr 10, 2014)

is the steampowered.com also affected? or just steamcommunity.com?....also is private info stored on both sites or on stwampowered only?


----------



## harshilsharma63 (Apr 10, 2014)

a_k_s_h_a_y said:


> leaks out data from the RAM.. the heart of the system ?



Source?


----------



## SaiyanGoku (Apr 10, 2014)

So, should I change my password or not? :/
thankfully, i have not stored my CC/DC details on any of these sites.


----------



## amjath (Apr 11, 2014)

Its getting bigger
'Heartbleed' computer bug threat spreads to firewalls and beyond | Reuters


----------



## anirbandd (Apr 11, 2014)

Superayush said:


> Hey but for online transaction don't u require a unique pin/OTP so hacker actually cannot really misuse ur stored info



not for all banks.


----------



## amjath (Apr 11, 2014)

Superayush said:


> Hey but for online transaction don't u require a unique pin/OTP so hacker actually cannot really misuse ur stored info



Last year I thought something from Amazon UK using my Credit card. My Credit card has password authentication for transaction. But to my surprise transaction is passed without asking password. So its still vunerable


----------



## whitestar_999 (Apr 11, 2014)

that's because OTP is mandatory only for debit cards in India if selected.credit cards need to work internationally where regulators don't mandate OTP/password not to mention visa/mastercard do not come under RBI's purview unlike indian banks.that is why it is recommended to use virtual CC & not physical CC for online transactions or use a separate physical CC with low limits for international online transactions.frankly speaking people should not use CC physically even within India & use only their debit cards with OTP option selected unless absolutely necessary.most of the CC cloning is done by your local staff at malls/cafes/shops/restaurants etc & requires physical use of CC.within India if CC is used on indian sites like flipkart & something wrong happens(like this bug e.g.) it is much easier to reverse charges compared to stolen CC info from some international site or CC cloning at some foreign location.


----------



## anirbandd (Apr 11, 2014)

whitestar_999 said:


> that's because OTP is mandatory only for debit cards in India if selected.credit cards need to work internationally where regulators don't mandate OTP/password not to mention visa/mastercard do not come under RBI's purview unlike indian banks.that is why it is recommended to use virtual CC & not physical CC for online transactions or use a separate physical CC with low limits for international online transactions.frankly speaking people should not use CC physically even within India & use only their debit cards with OTP option selected unless absolutely necessary.most of the CC cloning is done by your local staff at malls/cafes/shops/restaurants etc & requires physical use of CC.within India if CC is used on indian sites like flipkart & something wrong happens(like this bug e.g.) it is much easier to reverse charges compared to stolen CC info from some international site or CC cloning at some foreign location.



precisely. 

i always use debit cards with OTP while online purchases.


----------



## snap (Apr 11, 2014)

> I don't mean to sound doom-and-gloom but I will be dropping "truth bombs" since some news outlets are unintentionally misinforming. Here's what you need to know about heart bleed:
> Game over. We lost.
> For nearly 3 years this vulnerability has been in existence. For nearly 3 years anyone could go to any OpenSSL service and dump memory contents without priveliged access OR risk of detection
> Literally anything and everything stored into memory is fair game. This includes
> ...



Source:reddit


----------



## anirbandd (Apr 11, 2014)

snap said:


> Source:reddit



is 100% true. 

but now, i'll have to top up my phone balance physically.  no more net banking for a long time.


----------



## amjath (Apr 11, 2014)

snap said:


> Source:reddit



what the hell


----------



## anirbandd (Apr 11, 2014)

yeah.. now i'll have to change each of my banking passwords. 

such bug..

much pain..

damn..


----------



## whitestar_999 (Apr 11, 2014)

indian netbanking with OTP enabled is safest option.in fact all those net banking fraud cases in papers depend on 2 things:OTP not selected or OTP selected but with a duplicate sim after blocking the original sim by filing a false lost/stolen report & consumer not paying attention to the fact that his mobile is showing no service message for hours.


----------



## snap (Apr 11, 2014)

amjath said:


> what the hell



there is much more  

pretty sure NSA is also using this exploit

The Heartbleed Hit List: The Passwords You Need to Change Right Now


----------



## amjath (Apr 11, 2014)

snap said:


> there is much more
> 
> pretty sure NSA is also using this exploit
> 
> The Heartbleed Hit List: The Passwords You Need to Change Right Now



No No wait


> Don't change your password. It's strange advice to hear when the so-called Heartbleed bug is leaving databases all over the web open and exposed, but it's applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn't quite as easy as changing your password. Unlike past exploits, *Heartbleed isn't a database leak or a list of plaintext logins; it's a flaw in one of the web's most prevalent security protocols -- and until its fixed, updating your login information won't do a darn thing to protect you.* What, then, can you do to protect yourself? Wait, watch and verify.



How to avoid heartburn, er, Heartbleed


----------



## snap (Apr 11, 2014)

xkcd: Heartbleed Explanation


----------



## $hadow (Apr 11, 2014)

Does going incognito helps?


----------



## amjath (Apr 11, 2014)

$hadow said:


> Does going incognito helps?



Short answer no.


----------



## sahil1033 (Apr 11, 2014)

amjath said:


> Last year I thought something from Amazon UK using my Credit card. My Credit card has password authentication for transaction. But to my surprise transaction is passed without asking password. So its still vunerable


Are you sure you thought?  *bought


----------



## $hadow (Apr 11, 2014)

amjath said:


> Short answer no.



Too bad.


----------



## zapout (Apr 11, 2014)

why it's called heartbleed-



> The bug affects how OpenSSL, the most widely used cryptographic library for Apache and nginx Web servers, handles a service of Transport Layer Security called *Heartbeat*—an extension added to TLS in 2012.
> 
> Heartbeat allows a connected Web client or application to send messages to keep a connection active during a transfer of data. When a Heartbeat message is received, the server usually simply echoes back what it got to the sender. However, starting with the initial implementation of Heartbeat in OpenSSL 1.01 (and in all subsequent releases up to OpenSSL 1.01f, including the OpenSSL 1.0.2 beta) the extension could be fooled into sending back the contents of its memory buffer by sending a request that advertised itself as 64 kilobytes long but in fact had no content—resulting in “*Heartbleed*".




Source


----------



## amjath (Apr 11, 2014)

WTF, Now affecting routers too


----------



## snap (Apr 11, 2014)

$hadow said:


> Does going incognito helps?



you read OP post ?


----------



## Flash (Apr 12, 2014)

Remedy: use lastpass..
The LastPass Blog: LastPass and the Heartbleed Bug

- - - Updated - - -

Also check in your favorite in here for the vulnerability:

*lastpass.com/heartbleed/


----------



## tkin (Apr 12, 2014)

This bug is turning into a nightmare, a lot of the projects handled by our company uses OpenSSL, guess they are all screwed, got some frantic mails from Corporate division, they are asking to shut down all OpenSSL based projects so they can send teams to patch it


----------



## anirbandd (Apr 12, 2014)

tkin said:


> This bug is turning into a nightmare, a lot of the projects handled by our company uses OpenSSL, guess they are all screwed, got some frantic mails from Corporate division, they are asking to shut down all OpenSSL based projects so they can send teams to patch it



Great news.


----------



## anirbandd (Apr 12, 2014)

Flash said:


> Remedy: use lastpass..
> The LastPass Blog: LastPass and the Heartbleed Bug
> 
> - - - Updated - - -
> ...



NO. 

If you USE the passwords on vulnerable sites, its still liable to be stolen.


----------



## snap (Apr 12, 2014)

NSA Said to Exploit Heartbleed Bug for Intelligence for Years - Bloomberg

- - - Updated - - -

*www.cloudflarechallenge.com/heartbleed

*www.theverge.com/us-world/2014/4/1...-heartbleed-to-retrieve-private-security-keys


----------



## anirbandd (Apr 12, 2014)

does anyone know if Citibank and SBI Online are affected or not?? 

didnt find any info on the net.


----------



## whitestar_999 (Apr 12, 2014)

don't worry.seeing that no major bank & financial institution is in the list of major known affected sites chances are Indian banks are safe too.otherwise we would be getting messages in our online bank account & sms to change our passwords.


----------



## amjath (Apr 13, 2014)

sahil1033 said:


> Are you sure you thought?  *bought





- - - Updated - - -

*Edit: Important
*Received a mail from McAfee Today. They provided a tool/link to find the vulnerability. So who is looking for vulnerabilty check on indian sites and servers can check here
*tif.mcafee.com/heartbleedtest?utf8...HWG3bkxzhRvJwHTXvDhhHr!-398013275&commit=Scan

- - - Updated - - -

Update:

Google fixed their servers, change your passwords

*www.engadget.com/2014/04/09/google-heartbleed-patch-info/


----------



## anirbandd (Apr 13, 2014)

whitestar_999 said:


> don't worry.seeing that no major bank & financial institution is in the list of major known affected sites chances are Indian banks are safe too.otherwise we would be getting messages in our online bank account & sms to change our passwords.



How come?? Banking sites use the same OpenSSL, no??


----------



## whitestar_999 (Apr 13, 2014)

no.SSL is a protocol like http & openSSL is an application like browser.just because a browser has a vulnerability(say firefox) does not mean another browser(say chrome) too will have the same vulnerability even if they both use http.most banks rely on 3rd party vendors & proprietary softwares(e.g.many indian banks use infosys's Finacle software) which are exact opposite of open source softwares like openSSL.


----------



## anirbandd (Apr 13, 2014)

whitestar_999 said:


> no.SSL is a protocol like http & openSSL is an application like browser.just because a browser has a vulnerability(say firefox) does not mean another browser(say chrome) too will have the same vulnerability even if they both use http.most banks rely on 3rd party vendors & proprietary softwares(e.g.many indian banks use infosys's Finacle software) which are exact opposite of open source softwares like openSSL.



Hain??

So thats secure??


----------



## whitestar_999 (Apr 13, 2014)

yes.sometimes using a software that costs money is more secure than using a free open source software.this is the main reason why most banks/financial institutions don't use free security softwares.


----------



## anirbandd (Apr 13, 2014)

Those apps dont use open SSL?


----------



## whitestar_999 (Apr 13, 2014)

they use SSL just as openSSL use SSL but in a different manner.it is like how both crome & firefox use different ways to render same web page using http.


----------



## anirbandd (Apr 13, 2014)

So that is not affected and is completely safe?


----------



## whitestar_999 (Apr 13, 2014)

any software application that handles SSL in a manner different from openSSL is safe from heartbleed bug at least.SSL is a protocol & is safe,it is the software openSSL which use SSL that is affected by this bug.


----------



## SaiyanGoku (Apr 13, 2014)

amjath said:


> Google fixed their servers, change your passwords
> 
> Google has patched most of its major services from the 'Heartbleed' security bug



So we really need to change them after the patch?


----------



## whitestar_999 (Apr 13, 2014)

not officially unless you get a notification to change password after you login.it is though advisable to change it just in case.


----------



## amjath (Apr 13, 2014)

SaiyanGoku said:


> So we really need to change them after the patch?



Yes every site says so. If u change before fix the new password is still vulnerable



whitestar_999 said:


> not officially unless you get a notification to change password after you login.it is though advisable to change it just in case.



it is like "Park your vehicles are your own risk" . They will not notify you but U should

- - - Updated - - -

Yahoo also patched their server


----------



## whitestar_999 (Apr 14, 2014)

well the policy is to notify.every email/website does this whenever there is a data breach as it is required under laws(& not the indian ones which can be lax).in yahoo mail you can not even proceed without changing password but no such thing with gmail.just because heartbleed bug was there doesn't mean anyone with even above average hacker skills can take advantage of it.it takes some really good skills & lots of resources to take advantage of this vulnerability & nobody is going to waste them on email accounts of typical users.i agree it is good practice to change even google password but my assumption is that chances of your google password leaking because of some malware/site you visit are much higher than because of hearbleed bug.


----------



## gameranand (Apr 14, 2014)

What the $hitty hell is this. The sites mentioned there, I use some of them regularly. Well its a good thing that I always use Lastpass, dunno if it kept me safe or not but damn, they took friggin 3 years to find this bug and we were unprotected for 3 years. What the hell are these companies paying to their security experts or they are even paying or not. God help me.


----------



## whitestar_999 (Apr 14, 2014)

don't worry too much.chances are if companies like google couldn't find it then hackers too missed it.some say NSA knew but then in a way your data in NSA hands is much better than in hands of some hacker.banking/financial institutions are mostly unaffected.also see my earlier post.


----------



## anirbandd (Apr 14, 2014)

gameranand said:


> What the $hitty hell is this. The sites mentioned there, I use some of them regularly. Well its a good thing that I always use Lastpass, dunno if it kept me safe or not but damn, they took friggin 3 years to find this bug and we were unprotected for 3 years. What the hell are these companies paying to their security experts or they are even paying or not. God help me.



chillax.. its an open source application. its free. 

- - - Updated - - -



whitestar_999 said:


> *don't worry too much.chances are if companies like google couldn't find it then hackers too missed it*.some say NSA knew but then in a way your data in NSA hands is much better than in hands of some hacker.banking/financial institutions are mostly unaffected.also see my earlier post.



i would bet on that. black hats have extraordinary line of thoughts.

- - - Updated - - -

legit white hats hardly think like the black hats. they just don not have the experience.


----------



## Inceptionist (Apr 14, 2014)

Can we get a list of Indian sites affected by this? The lists on the Internet focus on US sites mostly.


----------



## anirbandd (Apr 14, 2014)

i bet TDF forum was NOT affected. 

- - - Updated - - -

on a serious note,



Inceptionist said:


> Can we get a list of Indian sites affected by this? The lists on the Internet focus on US sites mostly.





- - - Updated - - -

UPDATE: 

here is a link to a list of tested sites. 

```
*github.com/musalbas/heartbleed-masstest/blob/master/top1000.txt
```

citibank, onlinesbi, icici, hdfc etc.. they dont use SSL??


----------



## whitestar_999 (Apr 14, 2014)

no one is going to target small indian sites(compared to their international counterparts).as for black hat/white hat argument there is not much difference between them.many times black hats work as white hats & white hats work as black hats.*do not be under the impression that you can be a good hat(white or black) by following only "legitimate" methods.*


----------



## anirbandd (Apr 14, 2014)

whitestar_999 said:


> *no one is going to target small indian sites*(compared to their international counterparts).as for black hat/white hat argument there is not much difference between them.many times black hats work as white hats & white hats work as black hats.do not be under the impression that you can be a good hat(white or black) by following only "legitimate" methods.



you are not talking about banking sites, i hope? 

indian banks have a lot of "potential".. after all, [almost] all of our politicians are scamsters.


----------



## snap (Apr 14, 2014)

anirbandd said:


> i bet TDF forum was NOT affected.



TDF does get ddosed sometimes


----------



## whitestar_999 (Apr 14, 2014)

*indian banks just like other banks were not affected by heartbleed bug as they don't use openSSL.*as for "potential" again no indian scamster worth his salt would put his ill gotten money in an indian bank(& those who do are amateurs who got caught & whose names you see in papers).


----------



## anirbandd (Apr 14, 2014)

whitestar_999 said:


> *indian banks just like other banks were not affected by heartbleed bug as they don't use openSSL.*



thats a relief. :whew:



whitestar_999 said:


> as for "potential" again no indian scamster worth his salt would put his ill gotten money in an indian bank(& those who do are amateurs who got caught & whose names you see in papers).



true.


----------



## flyingcow (Apr 15, 2014)

saw this today
*imgs.xkcd.com/comics/heartbleed_explanation.png
but couldnt people do that already? ssl injection or something like that i think?


----------



## whitestar_999 (Apr 15, 2014)

if they could it wouldn't be such a big deal.


----------



## anirbandd (Apr 15, 2014)

NSA could, according to reports. 

this is what happens when a group of *underfunded* enthusiastic individuals work for the good of the web.


----------



## whitestar_999 (Apr 15, 2014)

NSA could because there was this vulnerability.another way is to directly tap servers in which pretty much any security measure is useless but it is also much more difficult to hide.as for this vulnerability read some discussions over web in which many good programmers have blamed the lack of sincere efforts & participation in the development of openSSL which proves the point that any open sources software is only as good as the people participating in its development.that is why banks & major financial institutions don't use it.*there is a reason why they say you get what you pay for.*


----------



## flyingcow (Apr 15, 2014)

whitestar_999 said:


> if they could it wouldn't be such a big deal.


no sh!t


----------



## snap (Apr 15, 2014)

anyone tried this? *chrome.google.com/webstore/detail/chromebleed/eeoekjnjgppnaegdjbcafdggilajhpic?hl=en


----------



## tkin (Apr 15, 2014)

whitestar_999 said:


> NSA could because there was this vulnerability.another way is to directly tap servers in which pretty much any security measure is useless but it is also much more difficult to hide.as for this vulnerability read some discussions over web in which many good programmers have blamed the lack of sincere efforts & participation in the development of openSSL which proves the point that any open sources software is only as good as the people participating in its development.*that is why banks & major financial institutions don't use it.**there is a reason why they say you get what you pay for.*


IMHO commercial institutions tend to stay away from use open source:

1. The code, atleast the root code is open, anyone and everyone can see it, if a bug exists it will be exposed to whitebox testing, which is very dangerous, its much more difficult to find bugs via blackbox testing.
2. If they pay for the code then there is someone to blame, if they suffer financial losses due to a bug then they can charge the vendor, there is usually a warranty period.

Then again there are exceptions, my previous project was for State Farm insurance, they use a host of open source software, like PostGreSQL, Spring framework etc. You won't see that in India though.


----------

