Heartbleed's engineer: It was an 'accident'

The programmer responsible for code leading to Heartbleed says the flaw was accidental, despite its catastrophic consequences.
Written by Charlie Osborne, Contributing Writer

The Heartbleed bug has rocked the security industry and web services in the past few days. However, the programmer responsible for the oversight says that it was an accident that the flaw was introduced in the first place.

Heartbleed is an encryption flaw which affects OpenSSL's 1.0.1 and the 1.0.2-beta release, 1.01 which is used widely across the web and in a number of popular web services. The flaw can theoretically be used to view apparently-secure communication across HTTPS, usually denoted by a small closed padlock in a browser's address bar.

The data potentially at risk includes everything from passwords and encryption keys to financial details and personal identifiable information -- allowing a hacker to dip in, swipe data, and leave no trace of their existence.

Commenting on the discovery, Bruce Schneier wrote on his security blog Schneier on Security:

"Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable.

And you have to assume that it is all compromised. All of it. ‘Catastrophic’ is the right word. On the scale of one to 10, this is an 11."

OpenSSL programmer Robin Seggelmann told the Sydney Morning Herald that the vulnerable code leading to the Heartbleed flaw, part of the OpenSSL project, was submitted by him and reviewed by peer programmers involved in the scheme.

This code was refined by additional programming for the encryption protocol, later used by millions of websites, and it was this bolt-on coding that introduced the bug, caused by "missing validation on a variable containing a length." Neither Seggelmann or a peer reviewer noticed the missing validation, and so the code eventually made its way from development to the released version of the encryption software.

The German software developer denies that the security flaw was included deliberately, and told the publication that which the error introduced into OpenSLL was "trivial," the impact was "severe."

Seggelmann noted that conspiracy theories are tempting ways to explain the bug, especially in light of ex-NSA contractor Edward Snowden's document leaks detailing the surveillance activities of governments worldwide. While admitting it is "a possibility" that spy agencies may have known about and exploited Heartbleed in the past two years, the vulnerability was "was not intended." Seggelmann commented:

"In this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area. It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."

Many sites have patched the security flaw, including Facebook, YouTube, Tumblr, Reddit and Instagram. You can use LastPass' Heartbleed checker to see if your favorite web service are still vulnerable to the flaw, and once these companies have patched up, then changing your password is recommended.


Editorial standards