Testing for “reverse” Heartbleed

Testing for “reverse” Heartbleed:

Importantly, even if the server that you are querying (e.g. Tumblr.com) is patched against this OpenSSL vulnerability the servers behind the front-end of the server may not be. As a result, payment gateways, agents responsible for fetching URLs, some identity federation protocols, and so forth may also be vulnerable. In Meldium’s tests, who have they announced was vulnerable?

  • An unnamed top 5 social network (we’re waiting for confirmation of their fix) that fetched our URL to generate a preview. The memory we extracted from their agent included results from internal API calls and snippets of python source code.
  • Reddit, which can use a URL to suggest a name for a new post, used a vulnerable agent that they’ve now patched. The memory we were able to extract from this agent was less sensitive, but we didn’t get as many samples because they patched so quickly (nice work!).
  • We registered a webhook to our malicious URL at rubygems.org to notify us whenever a gem was published. Within a few minutes, we captured chunks of S3 API calls that the Rubygems servers were making. After the disclosure, they quickly updated OpenSSL and are now protected (really nice work, especially from an all-volunteer staff!).

This is just a very, very small snippet of vulnerable parties. And given how many backend systems will simply not be updated for fear of breaking compatibility (e.g. in the case of payment gateways) this will be a long-term vulnerability.

SSL: the solution to a problem that is persistently generating problems unsolvable by SSL itself.