1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Heartbleed written by 'mistake'

April 11, 2014

A German programmer has said he wrote the Internet security flaw "Heartbleed" by mistake. The bug has created a serious security hole that has made Internet passwords and encrypted transactions vulnerable to hackers.

https://p.dw.com/p/1BgB4
Image: Fotolia/slunicko1977

In an email interview with the online version of the news magazine Der Spiegel, a German programmer said he created the bug unintentionally.

The Heartbleed flaw was exposed late on Monday and is said by experts to be one of the biggest security holes in the history of the Internet. Heartbleed is a bug in OpenSSL, a virtual private network (VPN) software commonly used for encrypted transactions at "https" websites. Internet users have been taught to trust OpenSSL and use it to protect passwords, credit card numbers and other data sent via the Internet. However, the flaw has made this data vulnerable to hackers.

"I've worked on OpenSSL and filed a number of bug fixes and new features. In one patch for a new feature I apparently overlooked a length check," the unnamed programmer told Der Spiegel, adding that, "the mistake itself is fairly trivial." He said the mistake was also overlooked by someone checking the work in the United Kingdom.

Despite being exposed this week, the flaw has gone undetected for two years.

Security specialists had previously said Heartbleed appeared to be the result of a mistake in writing the OpenSSL code.

On Thursday, the computer networking giants Cisco and Juniper put out advisories about the bug.

"An exploit could allow the attacker to disclose a limited portion of memory from a connected client or server," the California-based Cisco announced in an advisory note.

"The disclosed portions of memory could contain sensitive information."

Since the flaw was exposed, companies and government agencies have rushed to fix the problem and update to safe versions of OpenSSL. They have also urged Internet users to change passwords to online accounts or services.

The group behind open-source OpenSSL gave credit for finding the bug to Neel Mehta of Google Security.

hc/mkg (AFP, dpa, Der Spiegel)