The Heartbeed hack? Client devices are vulnerable. And other Heartbleed newts.

[thewayne]

Initially it was suspected that Heartbleed was only an attack on servers, it turns out that this is not the case. Heartbleed is an exploit of some bad code in a package called OpenSSL, which is normally run on servers and Linux machines. If a machine is running the compromised version of OpenSSL AND has been hacked so that it can be controlled remotely by ne'er-do-wells, then it is possible for them to do a reverse-Heartbleed attack against personal computers, tablets, smartphones, etc.

As an example, Facebook and Yahoo Mail look up URLs to grab a partial screen capture to link with your message. If you control the remote URL being looked up, it's possible to leverage an attack.

http://blog.meldium.com/home/2014/4/10/testing-for-reverse-heartbleed


Meanwhile, a Canadian teen has been arrested by the RCMP for exploiting Heartbleed against the Canadian revenue service. As a result of his attack, the Canadians stopped accepting online tax return submission and extended the deadline.

http://news.slashdot.org/story/14/04/17/1414219/rcmp-arrest-canadian-teen-for-heartbleed-exploit

The shutdown of online returns: http://news.slashdot.org/story/14/04/10/1253227/canada-halts-online-tax-returns-in-wake-of-heartbleed


And it appears that the NSA has known about the exploit and been using it for their own ends.