Skip to main content

Hacker successfully uses Heartbleed to retrieve private security keys

Hacker successfully uses Heartbleed to retrieve private security keys

Share this story

This morning, content distribution network Cloudflare gave some hope to those affected by the Heartbleed security flaw with an announcement that the bug might not be as bad as feared. In two weeks of testing, Cloudflare said, its researchers failed to exploit the bug to steal a website's private SSL keys, which secures the data sent to users. It issued a challenge to white-hat hackers to successfully retrieve the private security keys — and unfortunately for the web, one of them succeeded.

The hacker, Node.js team member Fedor Indutny, claimed on Twitter that he'd tracked down the SSL keys.

The implications for the web are significant. Even after a server is patched to fix the Heartbleed vulnerability, the private keys can continue to be used to access user data unless whoever is running the server updates its security certificate. The news also directly contradicts Cloudflare's earlier claim that it "may in fact be impossible" to retrieve the SSL keys. The company has yet to issue a statement, but, according to the challenge website, promises to offer details soon.

Update April 11, 10:02PM EST: Cloudflare now states that two hackers, Fedor Indutny and Ilkka Mattila, both managed to obtain the private SSL key.