The Heartbleed bug affects versions 1.0.1 and 1.0.2(beta) of the popular OpenSSL cryptographic software library. Thanks to this vulnerability in OpenSSL, attackers can steal encrypted data protected by SSL/TLS. This vulnerability allows anyone with internet access to read the memory contents of the vulnerable machine. By reading the memory, the attackers can see the secret keys of the service providers, the usernames and passwords of the accounts on the machine. Just as if an attacker has placed a bug on your system, they can listen to all encrypted communications you make over the internet, steal data or present themselves as a service provider and engage in harmful activities.
Why is this error called Heartbleed?
Data leakage occurs due to an error in the heartbeat extension, which is the TLS implementation of OpenSSL.
What is leaking out?
The data leaked at the time of the attack by exploiting the vulnerability can be any data. This is what makes this mistake so scary. It is not possible to measure the financial damage caused by this attack until now, but eWEEK has announced the balance sheet of this attack as approximately 500 million dollars.(1)
Am I affected by this vulnerability?
This is a question that is asked most often and for which no real answer can be given. These open exploit attacks do not cause any abnormal behavior in the system and do not produce any logs. So even if you were affected in time, you may not have any news.
How am I protected?
If the OpenSSL version you are using on your system is up to date, there is nothing to worry about. If you are using OpenSSL version 1.0.1 or 1.0.2 beta, what you need to do is to update these versions. As we see here, keeping the systems up-to-date is the strongest defense we can do on the user's side.
Source:
https://www.eweek.com/security/heartbleed-ssl-flaw-s-true-cost-will-take-time-to-tally
