When servers bleed

April 9, 2014

Intrigued, I pulled down one of the scripts that demonstrated the vulnerability, reviewed it quickly, and ran it against our servers at 6Wunderkinder.

At first, I saw normal-ish looking stuff in the output—at least normal if you’re used to looking at web server requests in raw form. It took a few seconds to recognize that the web request headers that I saw near the top of the output weren’t mine. They were from a user using Chrome on a Windows machine and after them was data from a request that user’s client had made against our API—data that I shouldn’t have been able to see.

My friend Duncan Davidson, TED photographer and now software developer, wrote an intriguing first-hand account of his experience with the recent Heartbleed bug. It’s typical for “the media” to make a huge deal out of everything, and therefore I’m often skeptical of just how severe some things are. Duncan, working firsthand in the web security and tech industries, convinces me otherwise:

Finally, I’m baffled that this didn’t get more media attention. I realize that I’m an insider relative to most, but really, this was one of the most dangerous vulnerabilities we’ve seen in a while.