Major Security Flaw 'Heartbleed' Puts Critical Services at Risk

A major security flaw affecting over half the internet could have a disproportionate impact on vulnerable bitcoin services.

AccessTimeIconApr 8, 2014 at 10:36 a.m. UTC
Updated Sep 3, 2021 at 11:31 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Over half the internet could have been compromised by a two-year-old security flaw that also could affect a number of online bitcoin services, it was revealed today.

The vulnerability, named 'Heartbleed’, affects versions of OpenSSL, an open-source implementation of the SSL and TLS internet security protocols that encrypt and secure internet traffic, including: passwords, messages, e-commerce and banking, and other sensitive data including Virtual Private Networks (VPNs). OpenSSL is the most popular software library used for this purpose.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • Two years old

    The Heartbleed flaw has reportedly been known to researchers since 2011, and even 'black hat' hackers since 2012, meaning critical data on a large portion of the internet has been openly available for years. There have been no confirmed reports of exploits, though attacks leave no trace.

    Security admins around the world are now hurriedly applying a fix, and changing certificates and secret keys on the off-chance they could have been compromised.

    Since it weakens any site using the 'secure' https protocol, the threat isn't specifically to bitcoin services like wallets and exchanges. But given authorities' tendency to ignore bitcoin thefts or inability to investigate them effectively, it could leave bitcoin services more vulnerable than 'traditional' online financial or other critical ones.

    Test your services' sites

    Italian security expert Filippo Valsorda built a web-based test that allows anyone to enter a server's hostname to see if it is affected or not. He also posted open-source code for the test on GitHub.

    At the time of writing, entering major bitcoin services addresses on Valsorda's site showed that Blockchain, Coinbase and BitPay were safe, but that the world's most popular exchange, Bitstamp, remained vulnerable.

    Valsorda too was more concerned about online bitcoin services than anything inherent in other implementations, saying it was "simple to exploit and not that quick to patch".

    "It's fundamental to tell everyone to check all their servers and update ASAP [...] I can't obviously be positive about it, but bitcoin-specific software (local wallets, etc.) should not be affected even if they use OpenSSL, since the bug is only triggerable in live TLS connections."

    "However almost everything public facing in the Bitcoin ecosystem is (rightly) secured with TLS (think all web wallets, exchanges but also APIs and Mail servers) and potentially (probably) affected."

    Rushing to patch software, rotate certs

    It's estimated over 50% of internet servers use some form of OpenSSL (and probably a lot more). The thought that over half the internet's sensitive data could have been exposed for two years has left security departments sweating.

    Exploiting Heartbleed, an attacker could access the RAM of affected systems, allowing them to see up to 64 kilobytes of data at a time – enough to build up enough knowledge to access a system's secret keys. Those keys are used to encrypt and decrypt sensitive traffic and identify service providers.

    Once secret keys are gained, attackers could read any traffic to and from a server openly or impersonate services and users.

    Attacks on a vulnerable system do not require man-in-the-middle techniques and leave no trace, leaving sysadmins with no sure way to know if their systems have been compromised.

    The extent of the potential damage left some reeling:

    – matt blaze (@mattblaze) 8th April 2014

    , developer and chair of the Bitcoin Foundation's Law and Policy Committee, said he hoped the impact on bitcoin services would be limited, but noted that bitcoin services didn't always employ best practices for security:

    "I'm hoping the impact will be limited. Major sites will have to rotate their SSL keys after upgrading [...] Most sites should have the private keys for their wallets in a different server process where the data cannot be extracted this way. However it will not surprise me if a few sites are not working this way for whatever reason and might suffer thefts."

    Companies react

    Following the news, many bitcoin and altcoin exchanges took to twitter to issue official responses and update users on their progress tackling the flaw.

    — Bitstamp (@Bitstamp) April 8, 2014

    In an interview with CoinDesk, Bitstamp CEO Nejc Kodrič revealed that although the company had patched its servers successfully, its DDoS mitigation provider, Incapsula, must do the same to ensure full security.

    Hence, the exchange has chosen to remain "on the safe side" and temporarily deactivate account registrations, account logins and all virtual currency withdrawal functions.

    Other exchanges have since issued similar statements via the platform, including Bitfinex – a recent addition to CoinDesk's BPI.

    — Bitfinex.com (@bitfinex) April 8, 2014

    Meanwhile, platforms like localbitcoins.com and Bitcurex have reported greater success:

    — LocalBitcoins.com (@LocalBitcoins) April 8, 2014

    Blockchain.info also released a statement via its website stating that it upgraded services a week ago. The company also emphasised that wallet passwords are never sent to its server.

    It added: “We’ll be continuing to investigate as needed and provide you with any necessary updates."

    Public information release

    News of Heartbleed's existence was released by Finnish IT security consultancy Codenomicon, who published the description after trying the exploit for itself. A Google Security engineer, Neel Mehta, reported it to the OpenSSL team while Adam Langley and Bodo Moeller prepared a fix.

    The name comes from the bug's existence in OpenSSL's 'heartbeat' extension, and does not represent any flaw in the SSL/TLS protocol itself.

    Codenomicon said exploitation was 'easy' and that it had successfully attacked its own services, gaining access to secret keys for X.509 certificates, user names and passwords, and other 'business critical' communications.

    OpenSSL's security advisory said Heartbleed affected 1.0.1 and 1.0.2-beta releases of the software library, including 1.0.1f and 1.0.2-beta1.

    "A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server," it read, advising users to either upgrade immediately or remove heartbeats from their version of OpenSSL by recompiling it with -DOPENSSL_NO_HEARTBEATS."

    This story was co-authored by Grace Caffyn.

    Heart image via Shutterstock

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.