Jump to content

Hacker successfully uses Heartbleed to retrieve private security keys


Recommended Posts

This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website's private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys — and unfortunately for the web, one of them succeeded.

The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he'd tracked down the SSL keys.

Just cracked @CloudFlare ’s challenge: https://www.cloudflarechallenge.com/heartbleed . I wonder when they’ll update the page.

12:23 AM - 12 Apr 2014

Moscow, Russia, Russia

The implications for the web are significant. Even after a server is patched to fix the Heartbleed vulnerability, the private keys can continue to be used to access user data unless whoever is running the server updates its security certificate. The news also directly contradicts Cloudflare's earlier claim that it "may in fact be impossible" to retrieve the SSL keys. The company has yet to issue a statement, but, according to the challenge website, promises to offer details soon.

Update April 11, 10:02PM EST: Cloudflare now states that two hackers, Fedor Indutny and Illkka Mattila, both managed to obtain the private SSL key.


Edited by F3dupsk1Nup
Link to comment
Share on other sites

  • Views 1.9k
  • Created
  • Last Reply

Top Posters In This Topic

  • Reefa


Popular Days

Top Posters In This Topic

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...