LOGBOOK

HELP

Quiz Entry - updated: 2026.07.05

What was the Heartbleed vulnerability and why was it dangerous?

A buffer over-read in OpenSSL (CVE-2014-0160) where a client-controlled length let attackers read server memory — leaking keys and passwords with no trace.

A normal heartbeat request beside a malicious one whose oversized length field returns extra server memory.

* The server echoes back more bytes than the client actually sent, leaking adjacent memory. — FenixFeather, CC BY-SA 3.0, via Wikimedia Commons. *

CVE-2014-0160 — a buffer over-read in OpenSSL's TLS heartbeat extension that leaked server memory.

How it worked: The heartbeat protocol echoes back a message to confirm the connection is alive. The client sends "echo this MESSAGE (length N)". The server trusted the client-specified length without verifying it matched the actual message.

The attack: Send a 1-byte message claiming length 64KB → server returns 64KB of adjacent memory containing private keys, passwords, session tokens.

The bug was introduced in 2011 and passed code review, sitting in production for ~3 years before being discovered in 2014 — a reminder that review alone doesn't catch every memory-safety flaw.

Why it was devastating: the attack needed no authentication and left no trace in the logs, so victims couldn't even tell they'd been read. Worse, because the server's private TLS key could be leaked, an attacker who had also recorded earlier encrypted traffic could go back and decrypt it. At its peak it affected roughly 17% of the internet's "secure" (HTTPS) web servers, forcing a mass re-issuing of certificates and keys.

Lesson: never trust a client-provided length or size — always check it against the data you actually hold before copying.

See: https://heartbleed.com/

Go deeper:

From Quiz: SPRG / Secure Programming Introduction | Updated: Jul 05, 2026