The Heartbleed bug, the OpenSSL vulnerability that can be exploited to obtain sensitive information from affected servers, has made a lot of headlines this week. The bug is highly critical because it can be used to steal passwords, financial data, and the contents of communications. This was one of the biggest threats in Internet history.
About the Developer of HeartBeat in OpenSSL
It was Two years ago a German Programmer named "Robin Seggelmann" have coded and developed the new features in OpenSSL called HeartBeat. Secured Open Source protocol was used by almost every website includes, including Social Networking sites, Search Engines, Bank and Financial organizations, etc.
As we know Technology is a boon and aboon for mankind. So developing HeartBeat was a great feature that was introduced in OpenSSL, but this feature cost him dearly, as here the most critical bug resides.
Programmer Seggelmann was just trying to improve the OpenSSL by submitting the updates to the team. But the same features lead to the cause of the critical vulnerability called "HeartBleed" as per TheGuardian. Robin Seggelmann submitted the code of OpenSSL with the heartbeat feature in an update on New Year's Eve, 2011. This means the most critical threat has been around for more than two years unnoticed.
Open Doors to Cyber Criminals and NSA
As with the HeartBeat Vulnerability, it gives the chance for the cyber criminals to get active in their operations, because it exposes a large number of cryptographic keys and private data such as usernames, passwords, and credit card numbers, from the most important sites and services on the Internet.
The developer is responsible for what may be the biggest Internet vulnerability in recent history, but it was just a single programming error in the new feature as he didn't notice the missing validation and unfortunately the same was skipped by the code reviewer as well before introducing it in the newly released version."I am responsible for the error," Robin Seggelmann told Guardian, "because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."Since HeartBeat was introduced 2 years ago, so this critical vulnerability existed for 2 years. As with the recent updates, it is being said that the US National Security Agency (NSA) was aware of the HeartBleed vulnerability from earlier.
"But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security-relevant area," he said. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project."
But NSA has denies for the known of Heartbleed, with a statement saying, "NSA was not aware of the recently identified Heartbleed vulnerability until it was made public,"
Despite denying the code he put intentionally, he said it could be entirely possible that the government intelligence agencies had been making use of this critical flaw over the past two years."It is a possibility, and it's always better to assume the worst than best case in security matters, but since I didn't know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate," he told The Sydney Morning Herald.