The 2014 Pwnie Winner For Best Server-Side Bug

Heartbleed (CVE-2014-0160)

Credit: Neel Mehta and Codenomicon

The Heartbleed vulnerability was unleashed in April this year, starting a trend of giving vulnerabilities names, websites and logos. It was also a cool bug. This bug had a significant impact to both Yahoo! webmail users and any firm using Amazon’s Elastic Load Balancers (ELBs). For almost a full day, anyone visting the Yahoo! webmail application or an ELB-backed cloud service was at risk of having thier cleartext credentials exposed. Yahoo! approached this problem by forcing password resets. The other 10,000+ companies using ELB likely did not.