Most people are now up to speed about the existence of Heartbleed, but new information is coming out that the focus has only been on server side exploits. Meldium, released a blog post titled Testing for “reverse” Heartbleed. According to Meldium, “While patching our systems for the recent Heartbleed vulnerability, we found that some sites (including huge web properties), which had patched their servers were still vulnerable to a variant of the attack that we’re calling “reverse heartbleed.” They have also released a tool to test this.
What does this mean?
Basically it means that OpenSSL patching can’t stop just at servers and infrastructure devices. It has to go all the way down to the client level. There are many client tools and agents that utilize TLS for communication. Meldium provides a list of the types of clients that are vulnerable:
- Traditional Agents such as Dropbox or Office
- Social Networks such as Facebook fetch URLs of certain types and perform actions on them
- File sharing apps or anything that can allow a user upload an images
- Web spiders like Googlebot
- API consumers that allow integrations across websites
- IDendity federation protocols such as OpenID
- Webhooks which allow a user to register interest in a certain event happening and get a call back.
This particular vulnerability does appear to be harder to exploit than the original heartbleed.
What should you do?
The steps for remediation are the same as the original attack. We have them outlined in our post Heartbleed: What you need to know.