[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
- To: craig@xxxxxxxxxxxxxxxxxx
- Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160
- From: Txalin <txalin@xxxxxxxxx>
- Date: Thu, 10 Apr 2014 08:39:31 +0200
> How realistic is it that an attacker would be able to glean passwords
through
> this vulnerability?
Checked by myself yesterday in some websites with login/pass form in (sites
from my company, don't blame me). I took less than 2 minutes to get 3
user/password combinations, so, easy as hell.
PD: First message in FD, hi all!!!
2014-04-10 0:32 GMT+02:00 Craig Holmes <craig@xxxxxxxxxxxxxxxxxx>:
> On April 8, 2014 10:21:34 AM Matthew Musingo wrote:
> > Even if your systems were patched an attacker could have already
> attained
> > the secrets.
> >
> > Certs and other sensitive information need to be reconsidered for
> > replacement or changed
> How realistic is it that an attacker would be able to glean passwords
> through
> this vulnerability? Programatically searching through 64k memory dumps for
> certificates seems plausible, but looking for passwords does not. A
> password is
> of no pre-determined length or format. So unless you know what strings are
> wrapped around it (and those strings are reliably presented), isn't the
> loss
> of some types of sensitive information.... unlikely?
>
> Cheers.
> Craig
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/