Heartbleed bug, the worst security flaw the internet has ever encountered, was introduced to the world on New Year’s Eve 2011.
The man behind the so-called coding error has come forward, confessing to causing the problem, and sharing his side of the story.
Programmer Robin Seggelmann, a German software developer, has submitted the code in question in a security update at 11:50 p.m., Dec. 31, 2011, intending to enable Heartbeat function in OpenSSL’s Transport Layer Security system.
Seggelmann was working on the OpenSSL project during his PhD studies, from 2008 to 2012. His piece of code has unfortunately created a loophole that lets malicious users trick the servers.
The flaw in the code, has led to the Heartbleed bug, which is described as a “catastrophic” flaw that opened the world’s largest library of personal information to hackers.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Seggelmann said in an interview with the Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
The submitted code is claimed to have been reviewed by Dr Stephen Henson, who “apparently also didn’t notice the missing validation,” allowing the coding error to make its way from development to the release and eventually to 500 million sites.
Security expert Bruce Schneier discussing the possibility of Heartbleed also said “My guess is accident, but I have no proof.”
Heartbleed, a flaw in the encryption in the OpenSSL, which was left undiscovered for the last two years, ensure that users’ communications can’t be intercepted. Theoretically, up to two-thirds of the world’s web servers run OpenSSL with the code in question.
Security researchers publicly announced the Heartbleed flaw on April 7, which has turned into a web’s security disaster. Major websites including Google, Facebook and Yahoo affected by the vulnerability have already issued security patches.
With increasing speculations that the bug was inserted maliciously, Seggelmann clarified that the Heartbleed bug was a mistake and not deliberate.
“It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area,” Seggelmann said. “It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”
However, Seggelmann added that it was possible for the intelligence agencies to have used the vulnerability over the past two years.
“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate.”
