Discovered in early April, Heartbleed lets attackers steal data from computers using vulnerable versions of some widely used security programs.
Now it has given anti-malware researchers access to forums that would otherwise be very hard to penetrate.
The news comes as others warn that the bug will be a threat for many years.
The Heartbleed vulnerability was found in software, called Open SSL, which is supposed to make it much harder to steal data. Instead, exploiting the bug makes a server hand over small chunks of the data it has just handled – in many cases login details or other sensitive information.
French anti-malware researcher Steven K said: “The potential of this vulnerability affecting black-hat services (where hackers use their skills for criminal ends) is just enormous.”
Heartbleed had put many such forums in a “critical” position, he said, leaving them vulnerable to attack using tools that exploit the bug.
Steven K said he was using specially written tools to target some closed forums called Darkode and Damagelab.
“Darkode was vulnerable, and this forum is a really hard target,” he said.
“Not many people have the ability to monitor this forum, but Heartbleed exposed everything.”
Charlie Svensson, a computer security researcher at Sentor, which tests company’s security systems, said: “This work just goes to show how serious Heartbleed is. You can get the keys to the kingdom, all thanks to a nice little heartbeat query.”
Individuals who repeat the work of security researchers such as Steven K could leave themselves open to criminal charges for malicious hacking.
The widespread publicity about Heartbleed had led operators of many websites to update vulnerable software and urge users to change passwords.
Many so-called smart devices, such as home routers, CCTV cameras, baby monitors and home-management gadgets that control heating and power, were now known to be vulnerable to Heartbleed-based attacks.
A survey by tech news site Wired found that smart thermostats, cloud-based data services, printers, firewalls and video-conferencing systems were all vulnerable.
Other reports suggest the makers of some industrial control systems are also now producing patches for their software to limit the potential for attack.
D81LlkkunV4Quincy Jones, the celebrated musician and producer who worked with Michael Jackson, Frank Sinatra, Ray…
Misleading allegations, rumours and outright lies about voting and fraud are flooding online spaces in…
At least 158 people have died in Spain's worst flooding disaster in generations. On October…
Google has been fined two undecillion (a two followed by 36 zeroes) roubles by a…
Embarking on a home remodel is an exciting journey, promising enhanced comfort, increased property value,…
The US presidential candidates continued to campaign across key swing states on October 20. Footage…