The programmer who inadvertently introduced the critical Heartbleed vulnerability to OpenSSL has spoken up. Robin Seggelmann, a Germany-based coder, has told The Guardian that it was an oversight, but added that the bug's eventual discovery shows the power of open source code.
"I am responsible for the error because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version", Seggelmann said.
Part of the Open-SSL project, the code in question is a simple function called Heartbeat which sends a random data packet along with its length to the server, which then sends back the same data to the client (or the sender). The process confirms that the server is listening.
But due to a programming bug, a client can lie about how much data is in the packet. For example, the client may send an 8 byte data packet, but falsely claim to have sent 128 bytes of data. Unaware of this, the server may try to send back 128 bytes, filling the rest of the packet with any other information which is in its memory at the time.
At Yahoo, this 'other' information included usernames and passwords of users logging in at the same time, while at DuckDuckGo, it was the full text of search queries, the report notes.
Seggelmann, who worked on the OpenSSL project during his PhD studies from 2008 to 2012, said that he submitted the code at 11:59 pm on New Year's Eve 2011, but denied that the mistake had anything to do with the festive season. He also said that the Open-SSL project is under-resourced, having millions of users but only few contributors.