HTTPS I think you mean
What's happening is hackers (now script kiddies - because you can download scripts to do it now) are establishing a secure connection to the server, then requesting a heartbeat. Similar to a PING, you send data and it sends it back. But someone forgot to check the string length matches the number that was sent. So it's quite easy to basically download memory contents from the server - which can easily contain un-encrypted stuff from other peoples connections. Hook that to a parsing script to pull out email addresses, session ids, credit card numbers etc
As an end user you're safe if:
- you do not use vulnerable sites (anyone not using the bad versions of OpenSSL)
- or you do not log in or use them until they're patched
- or hacker was busy doing something else, or missed your piece of allocated memory.
Anyone familiar with C can check out the fix for OpenSSL here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=96db9023b881d7cd9f379b0c154650d6c108e9a3