Heartbleed terror not only against public websites are vulnerable . This bug actually have a greater impact than that .
According to Symantec , Heartbleed same impact to the client software in between the web client , email client , chat client , FTP client , mobile apps , VPN client and software updates .
( Read: egg food untuk lovebirds )
In short , every client that communicates via SSL / TLS using vulnerable versions of OpenSSL is open to attack .
In addition , Heartbleed affect various server other than the web server . This includes proxies , media servers , game servers , database servers , chat servers and FTP servers .
" In the end , a hardware device is not immune to vulnerabilities . This can affect routers , PBX , and the possibility of multiple devices connected to the Internet ( Internet of Things ) , " said Symantec , in a statement received detikINET , Friday ( 18/04/2014 ) .
Attacking the server software and hardware vulnerabilities through Heartbleed done in the same way as the attacks on vulnerable sites . However, attacks against client can happen in reverse way .
Usually , added Symantec , exploitation has been described as an attack Heartbleed clients by sending malicious messages to a vulnerable server and the server exposing personal data .
But the reverse is also true . A vulnerable client can connect to the server , and the server itself can send a message Heartbleed harmful to the client . The client will then respond with additional data found in memory , potentially exposing credentials and other personal data .
Fortunately , when the client is vulnerable , it may be difficult to exploit them in real situations . The two main attack vectors ordered the client to visit the server SSL / TLS connections are dangerous or plowing through a weakness that has nothing to do . Both provide an additional complication to the attacker .
Directing Client to Server Dangerous
According to Symantec , the simplest example of how a client may be exploited as a web browser is vulnerable . Just need to convince the victim to visit the malicious URL that the server an attacker can gain access to the memory of the client web browser . This gives risk to the content as in the previous session cookies , websites visited , form data and authentication credentials .
" Most of the popular web browser does not use OpenSSL , but libraries NSS ( Network Security Services ) , which is not susceptible to Heartbleed . Yet many web client using the OpenSSL command line ( eg wget and curl ) , " Symantec said .
Attacker needs to trick users into visiting a malicious website may be able to reduce some risk , but it does not have to .
" Imagine an online language translation service where you provide an automated service with the URL to the page in French and the service will translate the content into English , " he added .
Behind the scenes , this service takes the contents of the French-language pages using the back-end clients themselves.
" If you give a malicious server URL , the client ‘s back-end can be exploited and the attacker can retrieve important information such as code or credentials of the translation service , " Symantec said.
According to Symantec, the malicious redirect the client to the server as described above requires that the client is directed to visit a random server . However, many clients can only call presets , hardcoded domains .
In this case , the client can still be exploited . In the shared network open like a public WiFi network , traffic can be seen and modified by others , which allows the attacker to redirect the client vulnerable .
Typically , SSL / TLS ( eg HTTPS , encrypted web browsing ) is one solution to this problem , because encryption prevents interception and redirection . However, one can send a dangerous message Heartbleed before the session SSL / TLS is fully formed