Security flaw Heartbleed is still alive and kicking, according to research firm Errata Security.
Over 300,000 servers remain vulnerable to Heartbleed, says Errata researcher Robert Graham. Heartbleed is a bug in the widely used encryption tool OpenSSL first reported in early April. The vulnerability enables hackers to access usernames, passwords and credit card numbers stored on a server.
When Heartbleed was first announced, Errata scanned the Internet and found roughly 600,000 servers were affected. One month later, Graham says he detected 318,000 servers remained vulnerable – approximately the same number he found to be vulnerable on Saturday. Errata Security specializes in penetration testing (often called “pentests”), which are attacks on computer systems with the intention of finding weaknesses.
“This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable,” said Graham in a blog post on Errata’s website.
He says there are some well-known companies and e-retailers on the list of infected servers but declined to share names.
Graham says the 300,000 servers account for approximately 1% of the servers in the world. He has not yet checked to see if the servers found vulnerable in May and June are the same servers. Graham says it’s possible that patches have been made to some systems, while others have since been made vulnerable to the bug.
Many of the servers still infected by the Heartbleed bug are likely low-priority servers, says Graham, meaning that they aren’t storing important information. Despite this, Graham says any server vulnerable to Heartbleed is a potential weak link in a company’s defenses.
“Once I have a foothold, I can leverage that one server to get elsewhere in the network. Penetration is never just one thing – it’s a foothold to use other techniques to get to other machines,” says Graham. He says Errata will conduct additional scans of the Internet in July, October and April to monitor the Heartbleed bug.