Heartbleed bug was a mishap, admits developer

Apr 12, 2014, 11:22 IST | Agencies

Developer confesses to causing coding error, admits its severity

London: Despite speculation that the Heartbleed flaw was deliberately created by government agencies to spy on us, a developer has now come forward and confessed to causing the problem.

German programmer Dr Robin Seggelmann accepted that he wrote the code, which was then reviewed by other members and eventually added to the OpenSSL software. He admitted the mistake itself was ‘trivial’, but its effect was ‘clearly severe’.

Heartbleed bug
Unnoticed: The code was added on New Year’s Eve in 2011, and no one spotted the mistake until earlier this month

The code was added on New Year’s Eve in 2011 and no-one spotted the mistake until earlier this month.

“It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area. It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project,” Seggelmann said.

He added that the flaw was missed by him and a reviewer, who appears to have been Dr Stephen Henson, according to the logs. OpenSSL is an open-source programme that anyone can contribute to and improve. Changes are submitted and reviewed before being added to the final release. Websites are then sent this release to update their systems.

This meant the error moved from development team to the released version and eventually the websites without being identified.

The Heartbleed bug lets hackers eavesdrop on supposedly secure communications. It was detected by a team from Google Security and Codenomicon in the OpenSSL cryptographic software.

Affected sites, including Google and Facebook, have fixed the problem, but its users have been complaining they’re being left in the dark as to what it means for their personal data. Still, thousands of websites who are yet to fix the problem, or officially announce the fix — leaving their users in limbo.

Go to top