The Heartbleed internet security bug that has threatened personal data online has been turned on cyber criminals to help expose them when they trade information on the web.
Anti-malware researchers have been able to access previously protected chatrooms and forums – thanks to the bug, in order to monitor the data being exchanged by hackers. According to industry experts, the Heartbleed bug has left many forums used by online criminals in a “critical” position, and vulnerable to attack for the first time.
Hugh Boyes from the London-based Institution of Engineering and Technology (IET) said: “Whilst commendable that security researchers have used the Heartbleed bug to access closed forums used by cyber criminals, it is a pity that this has been publicised. The site operators are likely to quickly remedy this weakness.
“The report that underground forums are vulnerable demonstrates that the Heartbleed bug is a serious vulnerability. It allows access to more than login credentials. Website operators should check that their sites are not vulnerable. If they are then the bug should be fixed as a matter of urgency.”
The Heartbleed bug was discovered earlier this month having gone undetected for more than two years. It compromises the OpenSSL software in computers that encrypts data to make it harder to steal.
The flaw led to major internet companies encouraging their users to change passwords and login details in order to protect themselves from a potential hack.
UK-based parents forum Mumsnet was the first British site to confirm a hack, but couldn’t specify what data had been accessed. At the time of the breach, Mumsnet founder Justine Roberts said: “Heartbleed has shown that nobody can offer a 100 per cent guarantee of online security, but we’ll continue to do our best to protect our users as much as we can, and be transparent about any breaches we find.”
Mr Boyes added: “Threats to embedded and control systems are also very serious. Some manufacturers have already shipped patches. These need to be tested and installed as soon as possible. The bug has demonstrated the need for trustworthy software.”
But cyber criminals aren’t beyond the reach of Heartbleed, with their own personal information now reachable because of vulnerabilities in forums like Darkode and Damagelab, both popular with hackers.
Speaking to the BBC, French anti-malware researcher Steven K said: “Darkode was vulnerable, and this forum is a really hard target. Not many people have the ability to monitor this forum, but Heartbleed exposed everything.”
The IET previously described the Heartbleed bug as a “serious software defect”, while independent online security expert Bruce Schneier said: “On a scale of one to 10, this is an 11”, when news of the defect was first detected by security experts, including a team from Google.
Software patches to fix the flaw are still being rolled out by websites, and other security experts have warned that the bug could be an issue for years to come.