In short, Heartbeat allows one endpoint to go “I’m sending you some data, echo it back to me”. It supports up to 64 KiB. You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim “I’m sending 64 KiB of data” (for example) and then only actually send, say, one byte, OpenSSL would send you back your one byte — plus 64 KiB minus one byte of other data from RAM
So, what does that mean?
This allows the other endpoint to get random portions of memory from the process using OpenSSL. An attacker cannot choose which memory, but if they try enough times, their request’s data structure is likely to wind up next to something interesting.
And to add insult to injury,
None of this will be logged anywhere, unless you record, like, all your raw TLS connection data.
Which means you won’t know if you’ve been hit, so you need to assume you have.
For further detail, there’s a good summary here: