An Anonymous group claims to have explored a new vulnerability in the latest version of OpenSSL, which was updated after the Heartbleed flaw. The Flaw affected almost all of the popular websites we use daily.
According to group members-the bug is similar to Heartbleed, but some of the experts are questioning their claims.
In a post at pastebin, Hackers wrote:
We have just found an vulnerability in the patched version OpenSSL. A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS. We could successfully Overflow the DOPENSSL_NO_HEARTBEATS and retrieve 64kb chunks of data again on the updated version,
the hackers wrote on Pastebin.
Hackers also claim that they can personally use this vulnerability for a long time before it gets patched, and on the other hand they are selling out that exploit for 2.5 Bitcoins ($1,069 / €780) or 100 Litecoins ($973 / €725).
Group is unknown, as we said above, but they have an email address which is [email protected]
We are team of five people, and we have coded non-stop for 14 days to see if we could find a workaround, and we did it! We have no reason to make it public when the vendors will go for a update again, they wrote.
What is the proof, that their vulnerability is working:
So, here comes twist-is there any video which proves that really their exploit is working, NO-They don’t have anything like that, but they have a screenshot which is of a response from a server. However, this is not enough to prove that the flaw is really working and experts questioning on their claims.
“They say: ‘A missing bounds check in the handling of the variable DOPENSSL_NO_HEARTBEATS’. That’s not a variable, the ‘D’ is not actually part of the name, and it’s a compile-time macro that configures whether heartbeats will be compiled in or not,” one of the security expert and programmer Jann Horn noted on the Full Disclosure mailing list.
“And because it’s a compile-time thing, it’s nothing that an attacker could ever influence,” Horn added.
Some really believe what are you thinking now-IT IS A MONEY-MAKING SCAM. Yes, it could be, as their contact email [email protected] was used in the past by a group that offered to sell user information and source code from Mt. Gox and CryptoAve.
We will update this news, if this exploit really works or any update comes from Hackers’ end or experts’ end.