Seven weeks after the bug put the web on high alert, Heartbleed is still causing problems. A new report from Portuguese security researcher Luis Grangeia describes how the same bug could be used over Wi-Fi to enable new kinds of attacks that build on the same vulnerability. Dubbed Cupid, the new line of attack would perform the same Heartbleed procedure over Wi-Fi instead of the open web, either pulling data from enterprise routers or using a malicious router to pull data from Android devices as they connect. In each case, the attacker would be able to view snippets of the working memory from the targeted device, potentially exposing user credentials, client certificates, or private keys. Grangeia published a proof of concept for the bug earlier today, and is urging vendors and administrators to upgrade their devices.
