The Heartbleed bug works, and could be a scapegoat for older breaches
The Heartbleed bug works, and could be a scapegoat for older breaches

After issuing a community challenge on Friday, website performance and defense firm CloudFlare learned within 11 hours that private keys can be stolen using the Heartbleed bug – a critical vulnerability in widely used versions of the OpenSSL library that ultimately puts SSL/TLS encrypted communications at risk.

Following a roughly weeklong analysis of the vulnerability, the experts with CloudFlare wanted to see just how susceptible vulnerable servers were to Heartbleed, so they set up an nginx server with one of the vulnerable versions of SSL and told the community to start hacking.

“We studied the risk internally and concluded it was low, but we weren't sure,” Matthew Prince, CEO of CloudFlare, told on Tuesday. “We launched the challenge to crowd source the analysis. Within 11 hours of launching the challenge a researcher out of Russia proved our conclusion wrong.”

The bug works by sending requests to a server and the researcher, a software engineer named Fedor Indutny, sent as few as 2.5 million of them throughout the day, according to a Friday CloudFlare post, which also acknowledges three other researchers that fairly quickly confirmed Heartbleed is exploitable.

The sheer number of attacks that came from thousands of people participating in the challenge was surprising, Prince said, explaining that there were 11 million attack attempts in the first six hours that peaked at more than 100 megabits per second of data being downloaded.

Tests such as the CloudFlare challenge, which prove the Heartbleed bug is the real deal, have coincidentally been wrapping up just as some companies are announcing data breaches tied to the critical vulnerability.

Over the weekend, UK parenting website Mumsnet announced that credentials and other information may have been stolen from as many as all 1.5 million of its users, and the Canada Revenue Agency, a federal agency that handles taxing, announced that about 900 social insurance numbers were removed from its systems.