Time to Kill openSSL | TechSNAP 158

Time to Kill openSSL | TechSNAP 158

Is it time to replace openSSL? We’ll follow up on the Heartbleed story, discuss how attackers got read access to Google’s production servers and then it’s a great batch of your questions and our answers.

All that and much much more…

On this week’s TechSNAP!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Heartbleed followup

How we got read access to Google’s production servers

  • A group of researchers decided to target Google
  • Looking at the trends in the industry, flaws are most often found in:
  • Old and deprecated software
  • Unknown and hardly accessible software
  • Proprietary software that only a few people have access to
  • Alpha/Beta releases and otherwise new technologies
  • So they did their homework
  • They used the Google search engine, to search for software and companies that Google had acquired, antique systems, and products with very few users
  • They found the Google Toolbar button gallery
  • The product allows users to customize the toolbar by uploading XML that controls the style etc
  • They quickly managed to perform an XXE attack
  • They were then able to read files on Google’s production servers, including /etc/passwd, and some custom init scripts that Google uses to manage their cluster of servers
  • They likely could have escalated the attack, and possibly accessed Google’s internal servers
  • The team reporting the issue to Google, and was awarded a $10,000 bug bounty


Round Up:

Question? Comments? Contact us here!