As if the Heartbleed bug wasn’t enough, another major Internet vulnerability has been found – this one going back since OpenSSL’s inception.
The OpenSSL team has had its hands full this Spring. First was the Heartbleed bug that was said to allow hackers remote control into your device. The Heartbleed bug was due to a wrongly-entered code that provides the technical loophole. OpenSSL was considered to be the most dangerous Internet loophole in history – but it wasn’t the only loophole. Today, a new loophole was discovered (called CCS Injection, or ChangeCipherSpec) that allows hackers to change the data being sent from the client to the server or vice versa. Hackers could also decrypt messages being sent and intercept them before they arrive at the intended destination.
The CCS Injection loophole was discovered by Masashi Kikuchi, who says that the loophole “has existed since the very first release of OpenSSL” and “that code reviews were insufficient, especially from experts who had experiences with TLS/SSL implementation. If the reviewers had enough experiences, they should’ve been verified OpenSSL code in the same way they do their own code. They could’ve detected the problem.”
Kikuchi says that the recent Heartbleed bug is what prompted him to check for whether or not OpenSSL would verify certain conditions. He quickly discovered there was another vulnerability when he detected that OpenSSL didn’t fulfill the conditions necessary for to confirm that loopholes had been closed.