It’s getting so you just can’t trust hackers any more.
According to Computerworld U.S., security experts doubt the validity of a hacker claim that there’s a new vulnerability in the patched, post-Heartbleed version of OpenSSL.
Jeremy Kirk writes that a group of hackers, in a post on Pastebin, claim to have developed a fix for the new vulnerability that they “found.” The post tells users they’ll get a download link for the fix after making a payment of 2.5 bitcoins, which works out to around US$870.
“A new flaw in OpenSSL could pose just as much of a threat as Heartbleed did,” Kirk writes. “But the hackers’ claim was met with immediate suspicion on Full Disclosure, a forum for discussing vulnerability reports.”
In one posting, a commentator says “They claim to have found a buffer overflow in the handling of the DOPENSSL_NO_HEARTBEATS variable; since that’s in the C Preprocessor, that’s a rather extraordinary claim.”
Other comments about the validity of the hackers’ claim are more direct.
“It’s [bleep],” another poster writes. “They say: ‘A missing bounds check in the handling of the variable “DOPENSSL_NO_HEARTBEATS.”’ That’s not a variable, the ‘D’ is not actually part of the name, and it’s a compile-time macro that configures whether heartbeats will be compiled in or not. And because it’s a compile-time thing, it’s nothing that an attacker could ever influence.”
Because the hackers didn’t make their code public, their claim can’t be verified. And the email address provided for questions turns out to be the same one used on Pastebin for a couple of earlier offers for data, including data from a defunct Japanese bitcoin exchange that was hacked.
Still, when one poster asks if there really could be a working exploit on patched versions of OpenSSL, another answers “Absolutely! Ask again in a year.”
The Heartbleed flaw in OpenSSL was disclosed earlier this month and could enable hackers to gain access to login credentials or a server’s private SSL key.