Apple Inc. (NASDAQ:AAPL) said in a statement Thursday that its operating systems, including iOS and OS X, and “key web services” were unaffected by the massive “Heartbleed” security flaw, which the developer -- accused of creating the bug -- said was an accident.
According to Re/code, Apple confirmed in a statement that its systems and services remained untouched by the Heartbleed bug, a secure sockets layer, or SSL, flaw found in open source software, which could compromise the passwords and personal information of millions of users.
“Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected,” an Apple spokesperson told Re/code.
The Heartbleed bug, which is believed to have affected approximately 66 percent of all websites, allows anyone on the Internet to read data stored on systems that are protected by susceptible versions of OpenSSL software, including secret keys used to encrypt traffic, according to Heartbleed.org, which also said that unauthorized users can use the data to collect usernames and passwords, spy on communications and steal information from affected services.
Although major companies such as Google Inc. (NASDAQ:GOOGL), Facebook Inc. (NASDAQ:FB) and Tumblr have implemented fixes on their websites for the flaw, security researchers have recommended that users change their passwords, AppleInsider reported.
Meanwhile, Mashable has provided a list of services where users should change their passwords. Users are also recommended to use password management tools such as Lastpass, 1Password and Apple’s Safari Browser password generator to keep track of multiple passwords across various accounts, instead of using a single password for multiple accounts.
It Was Unintentional: Robin Seggelmann
Robin Seggelmann, the German developer who was accused of making the coding error that has come to be known as the Heartbleed flaw, told the Sydney Morning Herald that he did not insert the bug deliberately, as some have suggested.
According to Seggelmann, the bug that introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the OpenSSL encryption protocol more than two years ago.
“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” Seggelmann told the Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”
Seggelmann also said that it was “tempting” to assume that the bug was inserted maliciously, especially after revelations by Edward Snowden, a former employee of the Central Intelligence Agency, of the spying activities conducted by the U.S. National Security Agency and others.
“It was not intended at all, especially since I have previously fixed OpenSSL bugs myself, and was trying to contribute to the project,” Seggelmann said.