Heart Bleed bug test: After patch, hackers claim to find flaw in new OpenSSL software
A group of five hackers claim they have found a flaw in the new version of OpenSSL— a software program re-released this month after the Heartbleed bug was fixed.
The hackers put a letter on text application Pastebin on April 22, stating that they worked for two weeks to find a vulnerability in the patched, Heartbleed-free, version of OpenSSL, and are willing to sell the code.
Nicknamed "Heartbleed," the "bug" was actually a weakness in OpenSSL's cryptographic software that made SSL/TLS encryption backfire on computer users. The "https" protocol that is supposed to identify a secure website was actually a signal to hackers that the site is vulnerable to cyber attack. The hackers could then trick a computer's server into sending data stored in its memory.
The hackers claim that even with the fixed OpenSSL, they were able to access 64kB "chunks" of data from servers.
They wrote that they will not make the code public, but will sell it to any "pentester" (or "penetration-tester"), who is willing to pay 2.5 bitcoins—roughly $870. A "penetration-tester" is a hacker who infiltrates computer systems with the goal of finding vulnerabilities.
Computer magazine PC World stated that the Pastebin posting is most likely a scam.
Although there is no way to verify whether an exploit code exists or not, the email address the hackers provided has been used in other online offers of information in exchange for money.
"In March, it was used in a Pastebin posting advertising a trove of data from Mt. Gox, the defunct Tokyo-based bitcoin exchange that was hacked," wrote PC World blogger Jeremy Kirk.
"The same advertisement also offered database dumps from 'carding' websites, or those selling stolen credit card data, and data from CryptoAve, another virtual currency exchange that's been attacked by hackers.
"Scammers often try to make money by falsely claiming they have data of interest to the hacking community."
Security software company Trend Micro stated on their blog that less than 10% of websites worldwide are still vulnerable to Heartbleed. Most of the major companies, including Google, Yahoo, and Facebook, adopted the new cryptographic software as soon as a fix was issued.