A hacker has been successful in retrieving private security keys using the Heartbleed bug in Open SSL. The Verge reported this today.
“The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he’d tracked down the SSL keys”, the Verge stated. The original tweet by the hacker is shown below :
Just cracked @CloudFlare ’s challenge: https://t.co/8ZPSxyKF4D . I wonder when they’ll update the page.
— Fedor Indutny (@indutny) April 11, 2014
Earlier this morning, content distribution network, Cloudfare had mentioned that “Heartbleed is not as bad as feared”. It also said that after 2 weeks of research by its team, they couldn’t exploit this bug to get access to a site’s private keys.
Now, completely contradicting these claims, the Hacker, Feder Indutny, who is a member of Node.js, claimed that he had successfully retrieved private security keys using the SSL bug. Later, Cloudfare itself confirmed hacker’s claim :
Results of the CloudFlare Challenge: http://t.co/nDX9QG2U5F Based on the findings, we recommend everyone reissue + revoke their private keys
— CloudFlare (@CloudFlare) April 12, 2014
Here’s the @CloudFlare team reviewing @indutny‘s attack. pic.twitter.com/Sv5Iu2H9nK
— Matthew Prince (@eastdakota) April 12, 2014
This being confirmed, now there is more frenzy among users using OpenSSL. Cloudfare has recommended people to change their passwords for security concerns.
The hacker later clarified that he won’t be disclosing the code he used to hack until all the security passwords have been changed.
To: everyone writing to me
I’m not going to publish code that I used to crack it for a week or more to ensure that everyone has upgraded.
— Fedor Indutny (@indutny) April 12, 2014
With the kind of catastrophe this bug can bring, already displayed, many websites have started updating their security for SSL and have started recommending users to change their passwords, as soon as possible.