Skip to main content

How the Heartbleed bug works, as explained by a Web comic

the heartbleed bug explained by a web comic xkcd bleeding heart

Sometimes, the easiest way to explain a concept to someone is with the use of illustrations, or cartoons. attempts to do just that with this simple comic, where it tells a short story of a hacker talking to a server, who uses the Heartbleed exploit to trick the server into leaking more information it’s supposed to, until it begins to divulges sensitive data.

First, check the comic out below.


First the girl asks the server to indicate whether it’s still online by telling it to say “Potato,” and indicates the length of the word. The server responds with “Potato,” while withholding all of the information surrounding “Potato,” written out in a lighter hue in the server’s speech bubbles. The hacker then asks the server to repeat the same task, but instead replaces “Potato” with “Bird,” and indicates the length of the word. The server complies.

Then, the hacker asks the server to say “Hat,” but instead of noting that it’s a three-character word, she states that it’s 500 letters long. The server responds not only by saying “Hat,” but also by leaking out the information around the word. By doing so, it reveals sensitive server information, including a “master key,” which the hacker begins to jot down.

This is a basic explanation of how the Heartbleed bug works. The Heartbleed bug is a flaw in the OpenSSL method of data encryption used by many of the world’s websites, which was actually put into the code accidentally by a programmer roughly two years ago.

OpenSSL contains a function known as a heartbeat option. With it, while a person is visiting a website that encrypts data using OpenSSL, his computer periodically sends and receives messages to check whether both his PC and the server on the other end are both still connected. The Heartbleed bug allows hackers to send trick heartbeat messages, like the one pictured in the comic above, which can fool a site’s server into relaying data that’s stored in its RAM — including sensitive information such as usernames, passwords, credit card numbers, emails, and more. This is the part of the flaw that the Xkcd comic illustrates.

What do you think? Sound off in the comments below.

Editors' Recommendations

Konrad Krawczyk
Former Digital Trends Contributor
Konrad covers desktops, laptops, tablets, sports tech and subjects in between for Digital Trends. Prior to joining DT, he…
This addon for Chrome, Firefox and Opera will tell you if a site is vulnerable to Heartbleed
netcraft heartbleed browser extension google chrome opera firefox 34

Though the Heartbleed OpenSSL bug is a fact of life, there are multiple measures you can take to safeguard yourself from the threat that it poses to you and your data. One of the ways we've mentioned is using Chromebleed, a browser extension that tells you whether any website you're view is susceptible to the vulnerability. However, the one big problem with Chromebleed is that it's specific to Google Chrome, and isn't compatible with any other browsers.
Fortunately, Netcraft, a UK-based Internet security firm, has created its own self-titled extension, and is available for use with all but two of the most recognizable browsers on the Web.
Once installed, if you're using Google Chrome or Opera, the icon representing the Netcraft extension sits in the top right corner of your browser window, taking the appearance of a lowercase "n" on top of a bright, multi-colored background. In Firefox, Netcraft takes the form of a toolbar, which automatically tells you whether whatever your site you're on is susceptible to Heartbleed. In Chrome and Opera, you'll have to click on the Netcraft icon in order to get a reading, but if there's a threat present, the Netcraft icon will have a "warning triangle" over it. Netcraft will also protect you from other dangers as well, including phishing attacks.
It's currently unclear why Netcraft hasn't developed a version of its extension for Internet Explorer or Safari, and there's no indication that the firm has any plans to develop them either.
Whether you plan to use Netcraft or not, you shouldn't just lean on one method or another to protect yourself from Heartbleed. If you use Google Chrome, you might want to check out Chromebleed. Also, there are a bunch of sites out there you can use to manually scan a site, if you prefer to get the opinions of multiple tools. On top of that, you should strongly consider using two-factor authentication with any Web-based accounts you use that offer it.

Read more
Changing your passwords isn’t enough to protect yourself from Heartbleed
Heartbleed LastPass

There’s no denying that the Heartbleed bug is scary. In fact, it’s arguably the widest and deepest security hole ever discovered on the Web, reportedly leaving roughly two-thirds of the world’s websites at risk.
So if you haven’t done so yet, you should check every site that you have an account with to see if it is or was using the version of OpenSSL that is vulnerable to the bug. Also, check whether those vulnerable sites have fixed their Heartbleed wounds yet, by updating their security certificates.
With LastPass, you can make sure you’re using a different password for each site.

There’s no point in updating all your passwords yet, because many sites are still vulnerable to the bug, and all indications are that it will take at least several weeks before all the affected websites have patched the Heartbleed hole.
So what should you do in the meantime? A great first step would be to upgrade your Web security measures so that a hacker will need more than just your password to access your most important accounts (like, say, Google, PayPal, and Dropbox). You should also start using a password manager, like LastPass, so that when the next big security issue hits, you’ll know exactly which passwords you’ll need to change. With LastPass, you can make sure you’re using a different password for each site, and (if you opt for the $12-a-year premium account) you can use an app on your smartphone to autofill all your passwords, which makes changing them a whole lot easier.
But first, let’s talk about two-factor authentication.
Two-factor authentication is a great defense against leaked passwords
When news of Heartbleed first hit, I was surprised, but not that worried. Why? Because I set up two-factor authentication on many of my most important accounts ages ago.
Two-factor authentication is sometimes also called 2FA, or two-step verification. With this set up, when you log into an account on a device you haven’t used before, you have to provide both your password and something else—a second form of authentication.

Read more
Here’s how the Heartbleed bug scurried into the hearts and minds of millions
how did the heartbleed openssl bug happen lock feature

On April 7, 2014, the world learned of what’s possibly the most severe security bug in the history of the Internet. It's called Heartbleed.
Discovered simultaneously by Neel Mehta, a security researcher at Google, and Finnish security firm Codenomicon, the bug compromises a security protocol commonly used by devices and websites worldwide. Heartbleed makes it possible for a hacker to scrape data from memory – including passwords, bank account numbers, and anything else lingering inside.
The severity of the bug left many wondering how it could happen. OpenSSL, the security protocol in which bug was found, is used all over the world. It’s used not just in servers, but also routers and even some Android smartphones. You might think that some responsible party has a team of security researchers checking and double-checking the code but, in truth, OpenSSL is managed by a small group consisting mostly of volunteers.
Opening to OpenSSL
OpenSSL boasts its open-source origin in its name. Founded in 1998, the project was created to provide a set of free encryption tools for Internet servers. This was an important goal; encryption is critical and common. A free standard was needed to make sure it would be adopted as quickly as possible. The project was wildly successful, and quickly became one of the Internet’s most important security tools.
Yet, success did not result in expansion or profits. OpenSSL generates income only through support contracts, which provides access to troubleshooting and consulting from the organization itself.
A total of just 11 people, most of them volunteers, are responsible for a critical encryption standard.
These contracts provide a minor stream of revenue, but the project is far from being overflowing with cash. The OpenSSL Software Foundation has never earned more than one million dollars in gross annual revenue. Donations have been anemic as well; the organization usually receives about $2,000 each year.
This results in a predictably tiny staff. The “core team” is made up of only four individuals, and the development team adds seven more names to the list. That’s a total of just 11 people, most of them volunteers, responsible for a critical encryption standard. Only one of them, Dr. Stephen Hanson, focuses on OpenSSL entirely. Everyone else has another full-time job.
Steve Marquess, who manages the organization’s money, said it best. “The mystery is not that a few overworked volunteers missed the bug; the mystery is why it hasn’t happened more often.”
Mistakes were made
That’s what the entire crisis boils down to – a mistake. The error was introduced by Robin Seggelmann, a German volunteer working on an OpenSSL extension called Heartbeat. He submitted the code on New Year’s Eve, 2011, and it subsequently slipped through the review process. Heartbleed has existed, unknown to the public, for over two years.
Other members of the project double-check submitted code during the review, but mistakes happen, so it’s hardly a surprise that a bug eventually slipped through. Even multi-billion dollar companies like Microsoft and Cisco are hit by their fair share of embarrassing exploits.
The problem stems from allocating memory according to a value that can be defined by a request. If the user provides a valid input, the function works as intended. However, if an invalid request is made, the code dumps part of what’s in memory, including information that’s supposed to be secure and encrypted. This web comic also explains Heartbleed, should you deem a visualization to be helpful.
Some software engineers believe that the existence of the bug raises questions about the security of C, the code in which the Heartbeat extension was written. Though popular, C is a complex language that offers a lot opportunity for errors in memory management and the handling of values. A bug in another open-source SSL implementation, GnuTLS, cropped up a month before Heartbleed, and was also written in C. That bug was even older; the code responsible for it was added in 2005.
What’s the next step?
Human error is ultimately to blame for Heartbleed, but the fault doesn’t fall solely on the shoulders of a single coder. OpenSSL is free software used by Fortune 500 companies, governments and even military organizations, yet these outfits almost never contribute funding or manpower to the project.
Companies and governments seem very concerned, yet pledges of real support are ominously absent.
That’s a systemic failure on a staggering scale, yet the obvious need for more oversight hasn’t spurred many people in positions of great wealth or power to action. OpenSSL Software Foundation money-man Steve Marquess says that donations have increased since the bug’s discovery, but, as of April 12, still totaled no more than $9,000 for the year. Most of that came from individuals pledging $5 or $10. Companies and governments seem very concerned, yet pledges of real support are ominously absent.
The world also must learn from this mistake. Using an open-source project without contributing to it is, in the long term, a recipe for disaster – particularly when the project is a critical part of network infrastructure. The Internet’s security shouldn’t be upheld by a handful of volunteers who find their names in the news only when something goes wrong.

Read more