Tests prove users can gain access to a server’s private keys via Heartbleed bug

Just over a week has passed since Heartbleed bug, one of the biggest security threats was reported and the implications of this seemingly innoncuous loophole have gotten worse day by day.

According to a post on PCWorld, Heartbleed bug would not spare even tight secured servers and is likely to expose the confidential information like users’ passwords at many popular Websites.

Heartbleed bug can expose server's private key


The engineers at CloudFlare, a SanFrancisco-based online security company, said that they had spent a lot of time carrying experiments to figure out what can be exposed via Heartbleed and, specifically to understand if private SSL key data was at risk. They were happy on learning that after a series of experiments on their software stack, they were unable to successfully use Heartbleed on a vulnerable server to retrieve any confidential data.

The private keys are used to ensure that communication between a user and the website are encrypted, referred to as SSL/TLS (Secure Sockets Layer/Transport Security Layer).

So, they setup a challenge –putting a test server online. This server ran on nginx -1.5.13 web server software that was using a vulnerable OpenSSL version 1.0.1 on a 64-bit x86 Ubuntu 13.10 system. CLoudFlare invited people to attempt to grab the private keys from this website. The company also said that it would post the full details if someone was successful in stealing the private key from the site.

Well, immediately they got an answer. And it was the bad news we had never expected to hear.

Very soon, Fedor Indutny, a Russian researcher, was the first person to come up with the news that he was successful at recovering the private keys from the web server. The Heartbleed bug lets a hacker access upto 64 kilobytes of data, but repeat the attack to get lots of information. That means a hacker can not only retrieve usernames and passwords, but also “cookie” data that Web servers and browsers use to track individuals and ease login.

Another person who was successful to get the key was IIkka Matilla of National Cyber Security Centre in Finland. In an update to the blog post, Nick Sullivan included two other names who completed the challenge Rubin Xu, a researcher at Cambridge University and Ben Murphy, a security researcher.

Indutny claimed on Twitter that he wrote a script for the purpose and used it to access the private SSL key. It nearly took him around three hours to complete the task.

“We confirmed that all individuals used only the Heartbleed flaw to obtain the private key,”

Sullivan wrote.

The private key is a part of security certificate which verifies that a client computer isn’t connecting to a fake website pretending to be an original one. A padlock appears on the left most part of the address bar if the site your system is accessing is a secure and trusted one or else you get a warning if the certificate is invalid.

How the researchers individually gained access to the private key hasn’t been revealed.

“It is at the discretion of the researchers to share the details of the tricks used,”

Sullivan wrote.