Skip to main content

Coder who left the door open for Heartbleed says his gaffe was an “oversight”

You can't have missed the eruption of media coverage over the gaping Heartbleed vulnerability in OpenSSL, and the man who made the coding blunder has now spoken out and said that it was an "oversight."

The man in question is German programmer Robin Seggelmann, who apparently submitted the vulnerable piece of code at a minute to midnight on New Year's Eve 2011 (that must have been some NY party he was at – though in all seriousness, he does stress the point that festive celebrations had nothing to do with the flaw creeping in).

According to the Guardian, Seggelmann said: "I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

Indeed it isn't just his fault, of course, as someone involved in the review process should have picked up on the problem – it's actually a very basic exploit, as we discussed yesterday in our closer look at how Heartbleed actually works.

The short version is that the exploit takes advantage of the heartbeat extension for TLS – which confirms that communicating devices are still active to each other – lying about the length of the heartbeat data packet, saying it's full when in fact it's just a single byte. The problem is a buggy server copies data from memory to fill the return packet to its reported size.

This data snippet can then be pored over by a cyber-criminal type, with it potentially containing anything off the server, from passwords through encryption keys to credit card details.

Seggelmann noted that he didn't believe that this was a failure in terms of open source software, commenting: "On the contrary, the publicly accessible code made it possible that the error has been discovered and published. I can only assume that it took so long because it's in a new feature which is not widely used and not a conceptual, but a simple programming error."

He further remarked on the lack of resources OpenSSL has at its disposal, with few contributors given its importance.

For more on this topic, see: Heartbleed and your passwords: An in-depth guide to what action you should take.