Heartbleed's engineer: It was an 'accident'

Heartbleed's engineer: It was an 'accident'

Summary: The programmer responsible for code leading to Heartbleed says the flaw was accidental, despite its catastrophic consequences.

TOPICS: Security

The Heartbleed bug has rocked the security industry and web services in the past few days. However, the programmer responsible for the oversight says that it was an accident that the flaw was introduced in the first place.

Heartbleed is an encryption flaw which affects OpenSSL's 1.0.1 and the 1.0.2-beta release, 1.01 which is used widely across the web and in a number of popular web services. The flaw can theoretically be used to view apparently-secure communication across HTTPS, usually denoted by a small closed padlock in a browser's address bar.

The data potentially at risk includes everything from passwords and encryption keys to financial details and personal identifiable information -- allowing a hacker to dip in, swipe data, and leave no trace of their existence.

Commenting on the discovery, Bruce Schneier wrote on his security blog Schneier on Security:

"Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable.

And you have to assume that it is all compromised. All of it. ‘Catastrophic’ is the right word. On the scale of one to 10, this is an 11."

OpenSSL programmer Robin Seggelmann told the Sydney Morning Herald that the vulnerable code leading to the Heartbleed flaw, part of the OpenSSL project, was submitted by him and reviewed by peer programmers involved in the scheme.

This code was refined by additional programming for the encryption protocol, later used by millions of websites, and it was this bolt-on coding that introduced the bug, caused by "missing validation on a variable containing a length." Neither Seggelmann or a peer reviewer noticed the missing validation, and so the code eventually made its way from development to the released version of the encryption software.

The German software developer denies that the security flaw was included deliberately, and told the publication that which the error introduced into OpenSLL was "trivial," the impact was "severe."

Seggelmann noted that conspiracy theories are tempting ways to explain the bug, especially in light of ex-NSA contractor Edward Snowden's document leaks detailing the surveillance activities of governments worldwide. While admitting it is "a possibility" that spy agencies may have known about and exploited Heartbleed in the past two years, the vulnerability was "was not intended." Seggelmann commented:

"In this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area. It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

Many sites have patched the security flaw, including Facebook, YouTube, Tumblr, Reddit and Instagram. You can use LastPass' Heartbleed checker to see if your favorite web service are still vulnerable to the flaw, and once these companies have patched up, then changing your password is recommended.


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I do feel for the guy

    And I do believe him.
    • so much for peer review, put a fork in it.

      The argument will never hold even an ounce of water.
      • Code review is good...

        ...but it's not enough. You have to test.
        John L. Ries
  • Ooops

    "Wrong button"

    Guys at Fukushima and Chernobyl say the same.
    • indeed

      What's he going to say, yeah lolz I did it on purpose.
      • I thought the same thing

        "I'm bored. What can I do to wreak havoc? "
  • NSA must've been happy

    seems odd that this is just now coming up. Perhaps the guy responsible has a nest egg in the Caymans, courtesy of the NSA.
  • catastrophic consequences

    Where when how ????!!!!!!!
    • X15meshman: "catastrophic consequences"

      The link in the article to Bruce Schneier's blog points to an EFF article that details possible evidence of the Heartbleed vulnerability having been exploited:

      "We have spoken to Ars Technica's second source, Terrence Koeman, who reports finding some inbound packets, immediately following the setup and termination of a normal handshake, containing another Client Hello message followed by the TCP payload bytes 18 03 02 00 03 01 40 00 in ingress packet logs from November 2013. These bytes are a TLS Heartbeat with contradictory length fields, and are the same as those in the widely circulated proof-of-concept exploit.
      "Koeman's logs had been stored on magnetic tape in a vault. The source IP addresses for the attack were and Interestingly, those two IP addresses appear to be part of a larger botnet that has been systematically attempting to record most or all of the conversations on Freenode and a number of other IRC networks. This is an activity that makes a little more sense for intelligence agencies than for commercial or lifestyle malware developers.

      The EFF is asking the networking community to view their TLS-layer traffic logs, archived and otherwise, for evidence of Heartbleed-related attacks.
      Rabid Howler Monkey
      • Still

        Pretty strong words used to describe something that eventually happen'd

        Just 2 grab the latest openssl src, compile and go on.
        The server systems still running obsolete opessl's does that own responsibility

        The ones complaining without applying any remedy ought to keep their "mouth's shut"
        • The curse of reading compiler output from a buggy C++ vector analysis code

          While typing on another box . . .

          The server systems still running obsolete openssl's does that on their own
          responsibility, seemingly this includes ZDnets own servers.
        • The suspect network logs showing possible evidence of a Heartbleed exploit

          are dated from November, 2013. This predates the very recent widespread knowledge of the vulnerability.

          The hunt for previous exploits is on ...
          Rabid Howler Monkey
          • Why chasing ghosts

            Applied some over 20 patches just by dropping the dynamically linked openssl's
            directly in the app folders, as the paches use the same c in/cout API, while three statically linked were just recompiled and dropped.

            All done within two hours.
          • Perhaps because you should know if you were hacked...

            ..maybe you have payroll or HR data on your server. Maybe you have servers running an ERP with a payables systems that keeps vendor banking information.

            It's all well and good that you can easily "fix" the systems so that you aren't hacked in the future, but that doesn't mean someone out there doesn't have a very powerful password to access your very important information already.
          • The only protection

            Is knowhow

            Collaborated with some scamhunters some three years ago.

            Found the code used when trying to bypass my completely open
            honeypot computer, knocked the code of execution and found the src used.
            Around 2.6 million computers in a botnet silently disabled.

            So "cache me if you can", otherwise see you in your computer 2 the ones trying.
          • X15meshman: "Why chasing ghosts"

            The EFF has an interest in privacy and would like to find out if the U.S. government (or any other government) has used the Heartbleed vulnerability to spy on its citizens.

            Other organizations have an interest as this would force many to conduct a damage assessment.
            Rabid Howler Monkey
          • The EFF has an interest

            That with all support

            All types of cypersnooping must be acted against.

            While doing so it's better to to be invisible

            though the first action is to patch a.s.a.p.
  • ZDNet

    Interestingly, the checker Charlie provides the link to has the following to "say" about ZDNet

    Site: www.zdnet.com
    Server software: Apache
    Was vulnerable: Likely (known use OpenSSL)
    SSL Certificate: Possibly Unsafe (created 12 months ago at Apr 25 00:00:00 2013 GMT)
    Assessment: Wait for the site to update before changing your password
  • How many more

    Wonder how many other similar bugs there are out there in the wild.
    This particular type of bug couldn't happen using an object-oriented language. But OO languages are slower.
    If the code hadn't been open-source then the bug would likely never have been known - but neither been a risk for exploitation.
    It could be interesting to see the actual steps of a real-life exploitation for getting for example a password or security key. My guess is that it is not easy.
    • nonsense!

      I bet it was C++. The issue was lack of peer review.
      LlNUX Geek