TIME Technologizer

How They Found Heartbleed

Over at Vocativ, Eric Markowitz has a good piece on how a Finnish security firm discovered the Heartbleed bug that’s left vast numbers of Internet services utterly vulnerable for more than two years:

Before hanging up, Chartier instructed one of the Finnish engineers to write an exploit code to take advantage of Codenomicon‘s own site. Basically, Chartier wanted to see what, exactly, a hacker could get if they knew about the bug.

“We attacked ourselves,” Chartier says. The results freaked him out. The team realized they were able to access a user’s memory, encryption keys, usernames and passwords—”plus a lot of other stuff that we don’t want to mention,” Chartier says. “We saw how serious it was.”

An engineer at Codenomicon, the firm in question, found the bug at the same time as a Google researcher, an amazing coincidence considering that it was introduced back in March 2012.

The whole situation is chilling — not just because we don’t know who might have known about the bug and leveraged it to steal data, but also because it’s such a sobering reminder of how little we know about the software we depend on every day. There are other Heartbleeds out there; it’s just that nobody’s told us about them yet.

More Heartbleed coverage on TIME

Tap to read full story

Your browser is out of date. Please update your browser at http://update.microsoft.com


Dear TIME Reader,

As a regular visitor to TIME.com, we are sure you enjoy all the great journalism created by our editors and reporters. Great journalism has great value, and it costs money to make it. One of the main ways we cover our costs is through advertising.

The use of software that blocks ads limits our ability to provide you with the journalism you enjoy. Consider turning your Ad Blocker off so that we can continue to provide the world class journalism you have become accustomed to.

The TIME Team