The coder responsible for the “Heartbleed” bug has expressed regret over the damage caused, but points out that the error itself was “quite trivial.”
The German developer who introduced the bug in 2012, identified by the Sydney Morning Herald as Robin Seggelmann, explained that in coding terms the flaw was little more than a minor oversight: “It was a simple programming error in a new feature, which unfortunately occurred in a security relevant area.”
Heartbleed, which some estimate to affect two thirds of all websites, made it possible to request data from servers that would normally be off-limits — almost any data held by the server, from credit card numbers to medical records, could be pulled up by exploiting the bug.
The programming error also escaped the OpenSSL project’s code reviewer, allowing it to enter the publicly released version of the software. There’s no big software development team: OpenSSL is a small, open-source project managed by a community of coders who receive little or no pay.
This may seem incongruous with the fact that it is used by so many websites, but the software has become an industry standard regardless of its humble support base.
“It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it,” lamented Seggelmann. He also denied inserting the bug deliberately, an allegation that has been making the rounds.
The bug was simple enough to be fixed almost instantly by the OpenSSL team once they were alerted, but security is still at risk until websites update their servers with the new versions — a process which, for large websites like Tumblr, Gmail and Instagram, is far from trivial. Many websites are alerting their users to change passwords once the problem is fixed.