0

Ok, essentially the heartbleed bug was that openssl library was not checking the actual size of heartbeat request and was responding with an extra data giving out some memory junks trying to keep its answer of the same size as the initial request.

Did it related only to users who got authorized on a website or any malicious user having no account on that service and knowing no passwords could start fumbling? In other words do the actual users of a service had wider possibilities to use this bug than others?

user164863
  • 580
  • 1
  • 12
  • 29

1 Answers1

1

Heartbleed but - does authorization matter?

Non-authenticated users who access a site anonymously can theoretically access any memory in the server's process space. Fortunately, it appears the attacker cannot control what area of memory he/she reads. The attacker happens to get memory around the Heartbeat Message (wherever that memory happens to be).

Authentication often occurs with passwords. Authorization usually occurs using a token or cookie. The token or cookie is a product of a successful authentication. Those secrets can be found in memory, too. Hence the reason that passwords and sessions were also reset.

jww
  • 97,681
  • 90
  • 411
  • 885
  • So 10 such requests sent consiquently will get back the same data from same part of memory, right? – user164863 Apr 17 '14 at 10:25
  • ... and why many internet services were asking to change passwords, those do not sit in the server memory? – user164863 Apr 19 '14 at 22:48
  • @user164863 - passwords are authentication, not authorization. Once you authenticate, you are authorized to access resources. After you are authenticated, you are usually provided with a token or cookie for subsequent access. The password is usually *not* used for subsequent accesses (or its not used in a well designed system). – jww Apr 20 '14 at 02:23