Heartbleed OpenSSL Bug Not Inserted Deliberately
The Heartbleed OpenSSL Internet bug that was discovered last week and has quickly become one of the most infamous exploits ever wasn't inserted into the code deliberately, says the German software developer who accidentally let the exploit slip by unnoticed.
Dr. Robin Seggelmann from Germany says that the Heartbleed bug was able to exist simply due to a human error made over two years ago. In comments to the media, Dr. Seggelmann said he and code reviewer Dr. Stephen Henson simply did not catch Heartbleed.
"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," Dr. Seggelmann said. "In one of the new features, unfortunately, I missed validating a variable containing a length."
"But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said. After Dr. Seggelmann and Dr. Henson missed Heartbleed, "the error made its way from the development branch into the released version."
"It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project," he said.
"It's unfortunate that it's used by millions of people, but only very few actually contribute to it. The benefit of open source software is that anyone can review the code in the first place. The more people look at it, the better, especially with a software like OpenSSL."
Dr. Seggelmann also denied that he had any knowledge of intelligence agencies exploiting Heartbleed, but said that "it is a possibility."
What is Heartbleed?
If you haven't heard by now, Heartbleed could the worst exploit ever found -- at least according to doomsayers. Heartleed affects the OpenSSL encryption protocol used on two-thirds of the world's websites. The exploit was discovered by Finnish-based security firm Codenomicon early last week.
"The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)," Codenomicon wrote on Heartbleed.com.
The firm even tested out Heartbleed itself, saying that, "We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication."
Major web services provided by companies such as Google and Yahoo were affected, including most major social media sites other than Twitter. Most websites that were open to Heartbleed have since patched up the security hole.
You can find out which sites were affected by Heartbleed here, and for a detailed security analysis on what you can do, visit KrebsOnSecurity.