An excellent dissection of the Heartbleed bug affecting OpenSSL

Heartbleed Dissection

The short version is that the heartbeat for OpenSSL sends data to the server and the server sends the data back. The issue is that the length specified in the header isn’t checked to verify it matches the length of the actual data, so the server simply responds with the number of bytes the heartbeat header indicated to respond with. It’s a 2-byte field so that’s up to 64k in per response.

The reason that this is a problem is that the server is copying random data out of server memory. That data may happen to contain user ID / password or the server’s private encryption keys. Obviously grabbing a user’s ID / password could be a problem but grabbing the private key would then allow an attacker to decrypt all data being sent by that server.