The bug introduced a flaw into the popular OpenSSL software, which is used by many popular social networking websites, search engines, banks, and online shopping sites to keep personal and financial data safe. It allowed those who knew of its existence to intercept usernames, passwords, credit card details, and various other sensitive information from a website's server in plain text. It also allowed for a server's private encryption keys to be stolen. Once stolen, these keys can be used by criminals to decrypt data sent between a website's server and a user of that website. "On a scale of one to 10, it is an 11," renowned security expert Bruce Schneier said of the bug. 'Unfortunately' missed Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was "unfortunately" missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

"I was working on improving OpenSSL and submitted numerous bug fixes and added new features," he said. "In one of the new features, unfortunately, I missed validating a variable containing a length." After he submitted the code, a reviewer "apparently also didn’t notice the missing validation", Dr Seggelmann said, "so the error made its way from the development branch into the released version." Logs show that reviewer was Dr Stephen Henson. Dr Seggelmann said the error he introduced was "quite trivial", but acknowledged that its impact was "severe". Conspiracy theories

A number of conspiracy theorists have speculated the bug was inserted maliciously. Dr Seggelmann said it was "tempting" to assume this, especially after the disclosure by Edward Snowden of the spying activities conducted by the US National Security Agency and others. "But in this case, it was a simple programming error in a new feature, which unfortunately occurred in a security relevant area," he said. "It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project." Despite denying he put the bug into the code intentionally, he said it was entirely possible intelligence agencies had been making use of it over the past two years.

"It is a possibility, and it's always better to assume the worst than best case in security matters, but since I didn't know [about] the bug until it was released and [I am] not affiliated with any agency, I can only speculate." Benefits of discovery If anything had been demonstrated by the discovery of the bug, Dr Seggelmann said it was awareness that more contributors were needed to keep an eye over code in open source software. "It’s unfortunate that it’s used by millions of people, but only very few actually contribute to it," he said. "The benefit of open source software is that anyone can review the code in the first place.

"The more people look at it, the better, especially with a software like OpenSSL." Loading This reporter is on Facebook: /bengrubb Follow IT Pro on Twitter