German Programmer Claims Responsibility For “Heartbleed” Internet Flaw; Says It Was An Accident

By Stephen Fuchs on Email @StephenWFuchs

heartbleed

Chances are that at some point during the last 48 hours you have heard about the potentially harmful “Heartbleed” flaw affecting roughly two-thirds of all websites, including popular sites like Facebook, Google, Yahoo and Tumblr. While the news put the internet into a state of panic, it’s safe to assume that no one felt more panicked than Robin Seggelmann, the German software developer who realized he was the one responsible for the catastrophic coding error.

Seggelmann, who currently resides in Münster, Germany, told The Sydney Morning Herald that the error was made to the open source OpenSSL encryption protocol over two years ago, just an hour before New Years Eve in 2011, and while he said the error was “quite trivial” its impact on the internet was “severe”.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features… In one of the new features, unfortunately, I missed validating a variable containing a length” Seggelmann said.

During code modifications, the changes are sent to a reviewer to catch mistakes like the “Heartbleed” flaw, however the reviewer, which logs show was Dr Stephen Henson, “apparently also didn’t notice the missing validation, so the error made its way from the development branch into the released version.”

Once it was discovered that Seggelmann was the man responsible, theories quickly formed online as to whether the critical flaw was inserted maliciously.  Seggelmann quickly denied making the error intentionally, stating that  the bad code “was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project.”

As soon as the flaw was discovered by security researchers, a fix was immediately implemented and the popular sites affected were quick to patch their servers. However it is unknown whether hackers took advantage of the error, which left usernames, passwords, emails, and other personal documents vulnerable over the two-plus years that it went unfixed.  Finding out would be difficult since attacks could be carried out without leaving any trace.

For readers that may be concerned, German Pulse was not affected by the “Heartbleed” vulnerability.

 

Sources: HeartbleedSydney Morning Herald, Vox

Stephen Fuchs
Stephen founded German Pulse and LGBT Germany out of a passion to introduce Americans to a Germany that goes beyond beer and polka (although with enough beer he has been known to polka it up a bit). He's a coffee addict, lover of wine and good times, a hit in the kitchen and editor of TV commercials. You can follow him on Twitter (@StephenWFuchs) to find out a lot more.
Stephen Fuchs on EmailStephen Fuchs on LinkedinStephen Fuchs on Twitter