The Heartbleed bug allows anyone on the internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. Sensitive information such as session identifiers, usernames, passwords, tokens, and even the server’s private cryptographic keys, in some extreme cases, can be extracted from the memory. To make matters worse, this attack leaves no apparent evidence in the log files. Thus, it is extremely difficult to determine whether the machine has been compromised.
An attacker can read 64 kilobytes of server memory for a single Heartbeat message. However, there is no limit to the amount of memory that can be read from a vulnerable server. Furthermore, an attacker can continue reconnecting and requesting an arbitrary number of 64-kilobyte segments to reveal secrets (passwords, secret keys, credit card numbers, etc.) stored in memory.