Comment by gojomo

Imagine you've got a script that, among other things, does a 'wget' against some innocent plain HTTP URL. But an attacker intercepts your request, and redirects you to an HTTPS URL of their choosing.

Yes, wget uses OpenSSL, and follows redirects silently by default.

Now that server uses heartbleed to x-ray your client process memory, collecting all sorts of confidential information, including perhaps credentials to other services.

This bug has a lot of nasty, unintuitive permutations and repercussions that will take time to fully grasp.