007 - Heartbleed bug
“Heartbleed” is the name given to a bug in the popular OpenSSL cryptographic software library that created a serious vulnerability which allowed attackers to read memory from otherwise secure servers.
The bug was introduced into the software in 2012 and the vulnerability was publicly disclosed in April 2014. According to heartbleed.com, testing the vulnerability on their own services allowed stealing of certificate keys, user names and passwords, instant messages, emails and business critical documents and communication.
The bug allowed the attacker to perform a buffer over-read, a situation where more data can be read than should be allowed.
An visual explanation of this is provided in xkcd #1354:
The three lines of code above are the core of the bug:
memcpy is a function used to copy a given number of bytes from one
memory location to another.
The number of bytes given is specified in the variable
payload, which is in
this case provided by the user. This allows the attacker to request any number
of bytes from the server, which is then copied and returned in the response.
For more information, see: