Heartbleed bug *can* expose private SSL keys

Heartbleed SSL keyAt the end of last week, engineers at CloudFlare said that they had been unable to exploit the Heartbleed bug to steal SSL keys from a server:

We’ve spent much of the time running extensive tests to figure out what can be exposed via Heartbleed and, specifically, to understand if private SSL key data was at risk.

Here’s the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data.

So, they set the internet a challenge – putting a test server online and inviting people to try to grab its private server keys by exploiting the so-called Heartbleed vulnerability in OpenSSL.

This site was created by CloudFlare engineers to be intentionally vulnerable to heartbleed. It is not running behind CloudFlare’s network. We encourage everyone to attempt to get the private key from this website. If someone is able to steal the private key from this site using heartbleed, we will post the full details here.

Well, they soon got an answer. And it wasn’t the good news we might have all wished for.

Sign up to our free newsletter.
Security news, advice, and tips.

Within hours, software engineer Fedor Indutny was revealed to have recovered the private keys from the web server.

Indutny claimed on Twitter that it took a script he wrote for the purpose took just three hours to hunt down the private SSL key.

CloudFlare confirmed Indutny’s success, and speculated that because they had rebooted the server at one point that might have contributed to the challenger’s successful exfiltration of their server’s secret key.

One thing is clear. If you administer a server and have so far put off revoking and reissuing your SSL certificates, it might be time to think again.

If you don’t, you could be putting your users and online customers in jeopardy.

Further reading:

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Heartbleed bug *can* expose private SSL keys”

  1. Coyote

    Yes.. and interestingly, BBC reports _this_ (today I guess – when I saw it anyway):

    A leading UK site for parents and the Canadian tax authority have both announced they have had data stolen by hackers exploiting the Heartbleed bug.

    Mumsnet – which says it has 1.5 million registered members – said that it believed that the cyber thieves may have obtained passwords and personal messages before it patched its site.


    The Canada Revenue Agency said that 900 people's social insurance numbers had been stolen.

    I cannot help but wonder why they were waiting around… then I snap back to what little reality I have and realise that most corporations, organisations and people in general do not take this type of thing seriously enough (I somehow doubt it was exploited right after it was made public … Mumsnet suggested that they found out last Friday). Especially shameful for the Canadian one, though (one can hope it isn't maybe the NSA that thought if they had social insurance numbers they could make use of it to prevent an ideal – terror etc. – just like everything else they do is given that reason)…

    Either way, I guess both organisations will have to deal with it and that includes the major problems (misery and fear of consequences) for those it will affect (one can hope they both DO in fact take responsibility and address it appropriately).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.