• OpenSSL "Heartbleed" Bug: Security hole can reveal client memory, breaking a huge chunk of encryptio
    76 replies, posted
I wonder if this is the flaw the Comodo Hacker mentioned and was using a few years ago.
[QUOTE=PsiSoldier;44504165]is there a list of the 'big' sites that were (or still are) vulnerable to this somewhere? like outlook, google, youtube, facebook, paypal, etc? i checked the OP and skimmed the whole thread and couldn't find anything like that.[/QUOTE] Google researchers were the ones who discovered the flaw.
[QUOTE=Jsm;44503795]So you are telling me that in the US you can run exploits which retrieve data from a server nice and legally? I don't think so.[/QUOTE] You as a user of the tool will never have to face criminal charges because of it. I assume the author will also be OK as long as he is discarding the data he receives from the exploit and not storing it anywhere. Depending on your views though, it might be really rude.
Microsoft doesn't use OpenSSL, and I can't imagine there's anything running on PayPal's servers that was made in the past 10 years, so they probably don't either. [editline]10th April 2014[/editline] my merge [editline]10th April 2014[/editline] [url]https://www.paypal-community.com/t5/PayPal-Forward/OpenSSL-Heartbleed-Bug-PayPal-Account-Holders-are-Secure/ba-p/797568?profile.language=en#[/url]
i just found a list of affected sites [URL]http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/[/URL] and does anyone know if Playstation sites were affected? same for Facepunch?
[QUOTE=robotman5;44510597]i just found a list of affected sites [URL]http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/[/URL] and does anyone know if Playstation sites were affected? same for Facepunch?[/QUOTE] Facepunch https goes though cloudflare iirc and they had it fixed in a split second
[QUOTE=Mega1mpact;44510734]Facepunch https goes though cloudflare irrc and they had it fixed in a split second[/QUOTE] Alright thats good, now do you know if sony patched their playstation site?
[QUOTE=robotman5;44510750]Alright thats good, now do you know if sony patched their playstation site?[/QUOTE] Sony is safe.
[QUOTE=Map in a box;44512872]Sony is safe.[/QUOTE] Do you have a source?
[QUOTE=robotman5;44512905]Do you have a source?[/QUOTE] Don't need a source, I checked manually. [editline]10th April 2014[/editline] Also you're not going to be able to isolate yourself from the internet so no need to stress over this just reset your passwords in a week if you're worried :v:
[QUOTE=Map in a box;44512913]Don't need a source, I checked manually. [editline]10th April 2014[/editline] Also you're not going to be able to isolate yourself from the internet so no need to stress over this just reset your passwords in a week if you're worried :v:[/QUOTE] I just tell everybody not to worry about accounts that haven't been logged into in a recent timeframe. Because this exploit exposes data in memory, not data on the filesystem, and chances are if you haven't logged into PayPal in a week or so your password probably isn't in memory.
[QUOTE=lavacano;44514358]I just tell everybody not to worry about accounts that haven't been logged into in a recent timeframe. Because this exploit exposes data in memory, not data on the filesystem, and chances are if you haven't logged into PayPal in a week or so your password probably isn't in memory.[/QUOTE] You'd hope they wouldn't use raw passwords. Not only that, you would hope they would 0 the memory they are using for passwords.
[QUOTE=lavacano;44514358]I just tell everybody not to worry about accounts that haven't been logged into in a recent timeframe. Because this exploit exposes data in memory, not data on the filesystem, and chances are if you haven't logged into PayPal in a week or so your password probably isn't in memory.[/QUOTE] PayPal seems to not be affected at all, so I am guessing they are using a 3 year old version of OpenSSL.
Best explanation for people who don't understand programmer stuff: [img]http://imgs.xkcd.com/comics/heartbleed_explanation.png[/img]
[QUOTE=Ybbat;44514374]You'd hope they wouldn't use raw passwords. Not only that, you would hope they would 0 the memory they are using for passwords.[/QUOTE] Of course, but people are still worried that such things will happen anyway.
-snip-
[QUOTE=Ybbat;44514374]You'd hope they wouldn't use raw passwords. Not only that, you would hope they would 0 the memory they are using for passwords.[/QUOTE] This bug only leaks memory used by the OpenSSL instance it's exploited on. You can't read passwords from the memory of a web application with this, but you can read whatever incoming and outgoing HTTPS requests happen to be in memory at the time, after decryption or before encryption. And if one of those requests contains a username and password (it will if it's the request of someone logging in, or the web applications stores login credentials in plaintext cookies on the client), then you can read that and extract the credentials.
Sorry, you need to Log In to post a reply to this thread.