Programmer responsible for Heartbleed bug: It was an accident

Giuseppe Macri Tech Editor
Font Size:

The programmer behind the widespread security flaw that left usernames, passwords, communications, account and event credit card information exposed across the Internet said in a recent interview the bug was a mistake.

German software developer Robin Seggelmann wrote the code portion of OpenSSL responsible for the security hole researchers have deemed catastrophic due to the widespread use of the security software, which encrypts Internet communications on HTTPS-secured sites and services. The security-type, along with the bugged code specifically, has been used by some of the most popular sites and services online for the last two years.

Seggelmann responded to allegations the flaw was implemented purposefully to let hackers intercept users’ private, sensitive information in plain text from the servers behind their Internet destinations. But he claims the mistake was so ‘trivial’ it went unnoticed by reviewers and made it into the final version of OpenSSL that launched on Dec. 31, 2011.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Seggelmann said in a Friday Sydney Morning Herald report. “In one of the new features, unfortunately, I missed validating a variable containing a length.”

The bug, which Seggelmann said could “be explained pretty easily,” turned out to be quite “severe” according to the programmer — theoretically exposing up to two-thirds of all internet traffic for more than two years.

Seggelmann came forward to dissuade mounting conspiracy theories that the bug had been planted on purpose, and said that given the nature of the damage he understood how that could be easy to believe.

“But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” Seggelmann said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

OpenSSL is attractive precisely for its open-source customizability, which anyone can contribute to, and is an easily implemented security feature. Though the programmer himself denies planting the bug, he doesn’t consider it a stretch of the imagination to assume government surveillance agencies have been exploiting it to intercept and spy on web traffic.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate.”

The programmer described the Heartbleed bug as a perfect example of why more people need to get involved in contributing to widely used open-source security software, as opposed to just adopting it.

“It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it,” Seggelmann said. “The benefit of open source software is that anyone can review the code in the first place.

“The more people look at it, the better, especially with a software like OpenSSL.”

Sites and services are continuing to patch the bug, and some are warning users to stay off the Internet entirely for a few days until the destinations and programs they use have confirmed a fix.

Changing passwords before an update exposes them to the same flaw, and could potentially put them at even greater risk since the flaw was revealed to the public, and possible parties that would seek to take advantage of it.

Follow Giuseppe on Twitter