The Heartbleed bug security hole is only in the servers using OpenSSL. The computer sends signals to the server and the server should send back precisely the same signal. This happens only if the connection is secured and this is the basic idea of securing Internet services and web-sites. Because of the Heartbleed bug, there is an error in the system. This security hole allowes the attacker to access the sent information that should have been only between the computer and the server. In normal situation the computer sending the signal to the server sets two conditions; length of the signal and the required symbols. The bugged connection has only one condition; the required symbols. So, if the computer asks the server to send back the 4-letter word 'bird', in the normal case the server does exactly that and the connection is then confirmed as secure. If the server tries sending anything else than those specific 4 symbols, there is an error and the connection between the computer and the server is lost. |
In bugged situation the computer asks the server to send back the word 'bird', but does not set the number of the letters. This is what the whole Heartbleed is about. As far the first letters are the same that the computer asked, everything looks working fine. But, because the length of the signal was not set, the signal can also include other data. The signal coming back can be, for example, 'bird my credit card number is xxxx zzzz yyyy oooo pppp.' That is how the hacker can access your personal information. You send it to him without even knowing. Of course, the information can be anything else that you have done with your computer, such as passwords, Internet browser history, social security numbers, etc. Hijacking someone's identity is then more than just possible. References: [1] http://heartbleed.com [2] http://techcrunch.com/2014/04/09/heartbleed-the-first-consumer-grade-exploit [3] http://blog.cloudflare.com/searching-for-the-prime-suspect-how-heartbleed-leaked-private-keys |