What threatens Heartbleed simple user?

Many have already heard about the vulnerability found in OpenSSL. It is safe to say that in terms of coverage in online media, it will take the first place of honor. They not only write about it, but also create special sites that check services and even draw comics . And no wonder - the scale of the damage is really impressive, according to some estimates, more than 17% of all sites with ssl support are vulnerable, given the ease of operation, this event can be compared to an epidemic. Unfortunately, even this is not a sufficient argument for many - a week later, many sites continue to be under threat. This may not be critical for simple services, but not for financial ones. This can be especially painful for payment gateways through which payments are made. I will tell about one of these.

The other day I made an online purchase in a Russian Internet company. When I got to the moment of payment, I was transferred to the payment gateway of a large bank with a form for entering data from a bank card. It was the only payment method and I started filling out the form.

Nothing foreshadowed trouble, except the sixth sense. Before clicking the “Pay” button, I decided to check the payment gateway for a vulnerability. All public services for verification gave a positive response. Realizing that it was not worthwhile to continue the purchase, I decided to find out what really could threaten users who do not even suspect that they are making a payment through a vulnerable gateway and how easy is it to be convinced?
')
It was not easy to verify this, but very simple. After modifying the code of one of the ready-made exploits on github, I had at my disposal a dump file of 64 kilobyte pieces. What was in it?



It was all . Literally everything that passes through the payment gateway: order number, card number, CVV2, name, year and month to which it is valid. In half an hour of the script's operation, several hundreds of real bank cards and data about their owners turned out to be in the dump.

Of course, all the necessary information was immediately sent to the contacts of the payment gateway and its largest customers, but at the moment the vulnerability has not been eliminated. I remind you that it has been almost a week since Heartbleed became publicly known. It only remains to be surprised at the carelessness of the security services of some large companies and to imagine with horror how many cards and other critical personal information could have fallen into the hands of real intruders.

Updated (04/15/2014): The vulnerability was fixed a week later, after the publication of information on Heartbleed, and three days later since my request.

Updated (04/16/2014): this vulnerability was discovered in the payment gateway of VTB24 Bank, which was used, in particular, on the Russian Railways website. I have no relation to the site sos-rzd.com and its authors. I recommend to everyone who made purchases through it from April 7 to April 14 to reissue cards.