Bleeding-in-the-Browser – Why Downplaying of Reverse Heartbleed Risk for Mobile is Dangerous to the Enterprise

For the past few weeks, we’ve been researching methods to protect our customers from Heartbleed. Some researchers downplay client-side Heartbleed attacks and believe them to be improbable due to the required scenarios for an attack and vulnerabilities limited to Android 4.1.1 devices.

We believe that client-side Heartbleed attacks could be easily executed and that Enterprises should take steps to manage that risk now. To show how simple it is to exploit a device  we have put together a short video to illustrate this.


The video here was done using a device running Android OS 4.1.1 (Jelly Bean) using an attack based on the reverse Heartbleed vulnerability. This exploit scenario was tested with the native Android browser, that comes pre-installed with Android OS and provides a realistic and highly common scenario that exploits the mobile browser to steal credentials and session cookies. To get a better understanding of each of the stages in the attack, you can view the flow here:

The Required scenario for an attack can be simple

With social engineering, an attacker can perform a simple phishing attack or simply direct a user to a malicious website – making it relatively straightforward to steal the credentials or session keys from any running web service, using Heartbleed.

This is a perfectly feasible scenario, which follows the traditional phishing attack with a significant improvement. The attacker is no longer required to masquerade the service; they can use the original service of the trustworthy entity.

Android 4.1.1 may be the only vulnerable version, but this version has 50M+ users worldwide.

Although there is indeed only one version of Android which is directly susceptible to Heartbleed, research shows that Android 4.1.1 still has more than 50 million users worldwide (including 4m in the US alone). Google has also released numbers showing that Android 4.1 is still by far the most common version of the OS (with 34% distribution).

This, along with the fact that millions of Android devices never, or rarely, receive security updates, proves that a vulnerable Android 4.1.1 is more than capable of endangering your enterprise. It’s also worth noting many of the popular custom ROMs (3rd party version of Android OS) contain the infected version of the OpenSSL library and thus the Heartbleed vulnerability.

We Advise our Enterprise Customers to:

  • Map the risk across your enterprise’s mobile devices and identify vulnerable devices. An on-line Heartbleed mobile device tester is available here. For a free enterprise test account, please contact us at [email protected]
  • If you’ve identified vulnerable devices, enable two-factor authentication on critical services as SalesForce, Google Apps, Office365, etc.
  • Use Lacoon MobileFortress to track the vulnerability status in your mobile environment and provide on-demand exploit mitigation.