What's left of the Heartbleed in SSL-based websites and mobile apps

April 26, 2014

2 Min Read


SAN JOSE, CA--(Marketwired) - Trustlook, a mobile security start-up in San Jose, has published a new report regarding Heartbleed vulnerability. It shows that 4.4% of SSL enabled websites and 8.7% of Android apps with build-in SSL library are still vulnerable, even after 16 days of the initial disclosure. 

Heartbleed is a major vulnerability on OpenSSL, one of the network infrastructure libraries. By exploiting this vulnerability, an attacker could steal users' login credential, private information, and even the website certificate keys.

Why it is critical?

  1. Widely affecting web infrastructure, Heartbleed impacts services include web, file transfer, and email services. Take web services as an example, both Apache and Nginx use OpenSSL for secure connections, and they occupy 66% of the web server market.

  2. Easy to exploit, harvest of sensitive data is the major purpose of attack. It's the first and only step. With an exploit code (which can be googled easily), anyone can perform the attack with publicly released tools and without professional knowledge.

  3. Hard to detect, the attack is triggered on "heartbeat packets", which is usually not included in the server log.

The aftermath 

This report is written 16 days after the vulnerability's initial disclosure. The Trustlook team has analyzed Alexa's  top 1 million websites and over 120,000 apps from Google Play. To show you Heartbleed's aftermath after 2 weeks and onward.

After large websites (Yahoo, Github and GoDaddy, etc) patched themselves, the attackers' focus is shifting to smaller sites and mobile platform. According to the scan results of the Alexa top 1 million websites, 451,470 websites have enabled SSL connections, and of them, 19,566 or 4.4% of websites are still vulnerable.

For mobile platforms, Android 4.1.1, which occupies 7% of Android market share, is vulnerable due to the OpenSSL version it used. What makes things worse is that Android is a highly fragmented OS, some 3rd party ROMs react slowly on patches and updates. After scanning 120,000 apps from Google Play, 8.7% of them have been found vulnerable, which affects more than 150 million users.

One week ago Trustlook provided an emergency protection app, Heartbleed Detector (http://play.google.com/store/apps/details?id=com.trustlook.heartpulse), which helps mobile users to mitigate the risk. Their other app, Trustlook Antivirus, has also integrated the Heartbleed detections.

About Trustlook Inc. 
Founded in 2013 and headquartered in Silicon Valley, Trustlook is a global leader in next-generation mobile security solutions. Trustlook pioneers and provides the first APT (advanced persistent threat) mobile security solutions to detect and address zero-day and advanced malware. For more information, please visit blog.trustlook.com.

Read more: http://www.hostreview.com/news/140425-heartbleed-two-weeks-later-44-of-ssl-enabled-websites-still-vulnerable#ixzz2zvb3Tdiu

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights