Heartbleed exploit allows to extract private encryption keys from vulnerable websites
Web services firm Cloudflare reported, Heartbleed exploit allows to extract private encryption keys from vulnerable websites.The company set up an nginx server running a Heartbleed vulnerable version of OpenSSL and invited the security experts to steal its private key. Just nine hours later, software engineer Fedor Indutny and Ilkka Mattila at NCSC-FI had obtained the server’s private keys using Heartbleed vulnerability. According to post published on Cloudflare blog:
“We confirmed that all individuals used only the Heartbleed exploit to obtain the private key. We rebooted the server at 3:08PST, which may have caused the key to be available in uninitialized heap memory as theorized in our previous blog post. It is at the discretion of the researchers to share the specifics of the techniques used.”