What seemed like good news this morning has quickly turned bad, if not downright terrifying.
This morning’s disclosure by Web security firm CloudFlare that at least one worst-case scenario related to the Heartbleed vulnerability might be impossible has been proven wrong by independent researchers in less than a day. Two independent tests have proven CloudFlare’s initial findings wrong, which means that certain nasty possibilities involving the bug are indeed possible.
The firm had determined that using the Heartbleed HeartBleed vulnerability to steal private server keys appeared impossible, which looked to be the first good news since the bug was revealed earlier this week.
CloudFlare had set up a public challenge seeking outside validation of the results of its own testing. The challenge lasted until late Friday afternoon Pacific Time.
The first to pull out an SSL private key, according to CloudFlare, was Fedor Indutny, a Russian security researcher. He tweeted this picture less than an hour ago:
He went on to say the script that he used took about three hours to obtain the key.
Another researcher, Ilkka Mattila of Finland, submitted a second successful attempt about an hour later.
“We confirmed that both of these individuals have the private key and that it was obtained through Heartbleed exploits. We rebooted the server at 3:08PST, which may have contributed to the key being available in memory, but we can’t be certain,” CloudFlare said in a post on the site.
The findings would appear to confirm some of the worst fears of security experts, who had worried that attackers exploiting the vulnerability could use it to impersonate a server. A server’s private keys are used to generate certificates that prove that a server is legitimate, similar to the way we use passports and other forms of ID to prove who we are. Now a vulnerable banking or credit card site can be impersonated by an attacker who might use it to lure unwitting users to hand over their account names and passwords.
It’s been a busy day on the Heartbleed front. This afternoon, Bloomberg News reported that the U.S. National Security Agency has been exploiting the vulnerability for years. The NSA and the Director of National Intelligence were quick to deny the report.