It also allows for session interception: https://www.mattslifebytes.com/?p=533
https://www.michael-p-davis.com/using-heartbleed-for-hijacking-user-sessions/ On Tue, Apr 08, 2014 at 11:14:51AM -0700, Ray Van Dolson wrote: > On Tue, Apr 08, 2014 at 01:33:51PM -0400, David Blank-Edelman wrote: > > On Apr 8, 2014, at 9:48 AM, Paul Graydon <p...@paulgraydon.co.uk> wrote: > > > > > There is ample proof this morning that it can be used to acquire yahoo > > > credentials with ease as Yahoo remains unpatched. > > > > So I’ve seen the screen shot too that went around, but I have to > > admit, I’m curious about the mechanics behind that. Would anyone care > > to speculate just how you use this bug to grab credentials in that > > way from them? I can hazard a partial guess, but I’d like to hear if > > others have any more technical detailed thoughts on how this was > > done. > > > > — dNb > > Haven't seen the screenshot, but at least in my head I'm envisioning > snagging private keys than capturing corresponding traffic and being > able to decrypt it. > > Ray > _______________________________________________ > Tech mailing list > Tech@lists.lopsa.org > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
