Heartbleed bug turned cyber criminals from attackers into victims

The Heartbleed bug has turned cyber criminals from attackers into victims as researchers use it to grab material from chatrooms where they trade data.

Discovered in early April, Heartbleed lets attackers steal data from computers using vulnerable versions of some widely used security programs.

Now it has given anti-malware researchers access to forums that would otherwise be very hard to penetrate.

The news comes as others warn that the bug will be a threat for many years.

The Heartbleed vulnerability was found in software, called Open SSL, which is supposed to make it much harder to steal data. Instead, exploiting the bug makes a server hand over small chunks of the data it has just handled – in many cases login details or other sensitive information.

French anti-malware researcher Steven K said: “The potential of this vulnerability affecting black-hat services (where hackers use their skills for criminal ends) is just enormous.”

Heartbleed had put many such forums in a “critical” position, he said, leaving them vulnerable to attack using tools that exploit the bug.

Steven K said he was using specially written tools to target some closed forums called Darkode and Damagelab.

“Darkode was vulnerable, and this forum is a really hard target,” he said.

“Not many people have the ability to monitor this forum, but Heartbleed exposed everything.”

Charlie Svensson, a computer security researcher at Sentor, which tests company’s security systems, said: “This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query.”

Individuals who repeat the work of security researchers such as Steven K could leave themselves open to criminal charges for malicious hacking.

The widespread publicity about Heartbleed had led operators of many websites to update vulnerable software and urge users to change passwords.

Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks.

A survey by tech news site Wired found that smart thermostats, cloud-based data services, printers, firewalls and video-conferencing systems were all vulnerable.

Other reports suggest the makers of some industrial control systems are also now producing patches for their software to limit the potential for attack.