Skip to main content
The homepageVoxVox logo
The homepageVoxVox logo

The context you need, when you need it

When news breaks, you need to understand what actually matters — and what to do about it. At Vox, our mission to help you make sense of the world has never been more vital. But we can’t do it on our own.

We rely on readers like you to fund our journalism. Will you support our work and become a Vox Member today?

Join now

It’s real: hackers are using Heartbleed to attack servers

by Timothy B. Lee

When the Heartbleed vulnerability was made public last week, it seemed terrifying. Afflicting thousands of servers across the Internet, the bug had the potential to expose a wide variety of private data, including credit card numbers, passwords, and even a server’s private encryption keys.

But one question that came up a lot was whether anyone had actually used Heartbleed to attack real computer systems. For the first few days, no one could point to real-world examples of Heartbleed attacks.

But now that uncertainty has been put to rest, as the security firm Mandiant reports that it is has observed a Heartbleed attack occurring “in the wild.” The attack targeted a Virtual Private Network service at an unnamed organization, gaining access to its internal corporate network — and it shows that hackers are finding the parts of the internet are least likely to have been updated to protect against Heartbleed.

The attack worked like this. When a user logs into a VPN service, it issues a “session token,” a temporary credential that is supposed to prove that a user has already been authenticated. By stealing the authentication token from the server’s memory, the attacker can impersonate the legitimate user and hijack her connection to the server, gaining access to the organization’s internal network.

In the immediate aftermath of Heartbleed’s discovery the vulnerability of big organizations like Google and Tumblr got most of the press. But those are huge firms employing thousands of engineers. They quickly updated their software and hardened their defenses.

The problem is that OpenSSL is used by a lot of smaller companies in a wide variety of special-purpose networking appliances. The software on these network appliances may not be as easy to upgrade as a general-purpose web server. And organizations might not even realize that their devices are running OpenSSL in the first place, much less know how to fix it.

That means we should expect to see organizations being hit with Heartbleed attacks for a long time to come. It’ll be a recurring reminder that we don’t invest nearly enough to secure our IT infrastructure.

See More:

Most Popular

  1. A year of Trump is backfiring on the religious right
  2. Take a mental break with the newest Vox crossword
  3. The real reason Americans hate the economy so much
  4. The Air Quality Index and how to use it, explained
  5. What is an aging face supposed to look like?

More in archives

archives
Ethics and Guidelines at Vox.comEthics and Guidelines at Vox.com
archives
By Vox Staff
Supreme Court
The Supreme Court will decide if the government can ban transgender health careThe Supreme Court will decide if the government can ban transgender health care
Supreme Court

Given the Court’s Republican supermajority, this case is unlikely to end well for trans people.

By Ian Millhiser
archives
On the MoneyOn the Money
archives

Learn about saving, spending, investing, and more in a monthly personal finance advice column written by Nicole Dieker.

By Vox Staff
archives
Total solar eclipse passes over USTotal solar eclipse passes over US
archives
By Vox Staff
archives
The 2024 Iowa caucusesThe 2024 Iowa caucuses
archives

The latest news, analysis, and explainers coming out of the GOP Iowa caucuses.

By Vox Staff
archives
The Big SqueezeThe Big Squeeze
archives

The economy’s stacked against us.

By Vox Staff