The HeartBleed Bug

The encryption flaw that punctured the heart of the Internet and has left almost two-thirds of the world's websites vulnerable to attack by hackers.

This bug was discovered on April 07, 2014, by Neel Mehta from Google Security and the team of security engineers (Riku, Antti and Matti) from Codenomicon and has affacted v1.0.1 and 1.0.2-beta releases of OpenSSL including 1.0.1f and 1.0.2-beta1.

XKCD does a better job of explaining a lay man's version of the bug. For a more technical description, I would recommend reading Cloudfare's version of explanation. They even had a challenge page setup to lure hackers to expose the vulnerabilities of the web server by hacking in to the private key of the SSL certificate.

Within 3 hours, Fedor Indutny, a core team member of Node.js cracked the encryption and made the RSA key public. Someone also added a bounty on Hacker News for whoever published and confirmed successful completion of this challenge.

The Bug

The Heartbleed bug, revealed on Monday, was the product of a fluke introduced by a young German researcher. He admitted that he had unintentionally introduced the bug on New Year's Eve 2011 while working on bug fixes for OpenSSL.

The bug was missing a bound check in the handling of the TLS heartbeat extension that can be used to reveal up to 64k of memory to a connected client or server. The precise flaw in the source code is illustrated here on Github, touted as a billion dollar mistake due to poor coding implementation which resulted into this bug.