Prime Ventures Backed Codenomicon Discovers Major Bug in OpenSSL and Mobilizes the World to Action

April 2014

Massive security bug in OpenSSL could affect a huge chunk of the Internet

Codenomicon, a Finnish computer security company backed by Prime Ventures, discovers a confounding computer bug called “Heartbleed”. Hackers can use the bug to steal sensitive information from users unnoticed such as passwords, stored files, bank details, and even social security numbers.

The bug was found in a portion of the OpenSSL protocol called the “heartbeat”. The bug is contained in several versions of OpenSSL that is used by most websites and applications. Heartbleed can reveal the contents of a server's memory, where the most sensitive of data is stored. That includes private data such as usernames, passwords, and credit card numbers. It also means an attacker can get copies of a server's digital keys then use that to impersonate servers or to decrypt communications from the past or potentially the future, too.

“It is a serious bug in that it doesn’t leave any trace,” said David Chartier, chief executive at Codenomicon. “Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there’s no trace they have been there.” The company tested the bug itself to understand the severity of its affects. This is what the company found:

'We have tested some of our own services from the attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able to steal from ourselves the secret keys used for our X.509 certificates (a standard cryptographic key), user names and passwords, instant messages, emails and business critical documents and communication.'

After discovering the bug and bringing it to the attention of the OpenSSL team, Codenomicon took its responsibility one step further by posting the Heartbleed website explaining in detail what the risks are and how to handle.

The news on the bug as well as the way Codenomicon responded via the Heartbleed website has led to a whirlwind of media exposure, with millions of impressions and front page stories in almost all leading international newspapers, blogs and TV news.