While you've probably read several lengthy articles and FAQs detailing how the bug works, this cartoon is probably the simplest explanation yet.
The Heartbleed bug tricks a server into spilling out extra information from its memory. A server's memory often includes sensitive personal information, such as your passwords, credit card numbers, and other data you wouldn't want anyone else to see.
This information is usually encrypted, which means its translated to an indecipherable code when it's transferred between servers, but Heartbleed can decode this encryption and store the codes used to protect your data. That's because Heartbleed takes advantage of a vulnerability in OpenSSL, a popular encryption standard used to power a giant chunk of the Web.
Popular web comic XKCD has broken down how Heartbleed works through this cartoon, which was first spotted by Gizmodo. XKCD has a lot of clever, geeky comics that you can read here >>
Heartbleed attacks a vulnerability in OpenSSL called Heartbeat, which is a means of calling out to a server to make sure the connection is secure. This is what's happening in the cartoon below.
The Heartbeat message usually contains arbitrary data and a length field denoting how many bytes of data are in the message.
The server would then spit that exact message back to the original sender to prove that the connection is secure.
The Heartbleed bug involves an issue with the server reading the length field incorrectly, which in turns tricks your server into spitting out more data than it should without realizing it.
