The National Security Agency knew for at least two years about the massive Web security flaw Heartbleed and used it to gather critical intelligence, unidentified sources told Bloomberg Friday. This has, however, been denied by the White House and NSA.
Heartbleed is a glitch in the popular OpenSSL encryption software for creating a secure connection between a server and Web browser. It is used to protect data flowing from users’ computers to tens of thousands of websites, including Gmail and Facebook.
The bug was first identified by security experts at Google and a cybersecurity company Codenomicon on April 7. It allows an attacker to make the server give up bits of information out of its memory that should not be accessible.
Hackers can easily steal sensitive data such as passwords, credit-card numbers and other personal details of users. What"s more, they leave no trace behind. In view of this dangerous scenario, since last week, top names in the technology sector have been jostling to seal off their software and fix the flaw.
According to estimates, nearly two-thirds of all sites on the Internet use OpenSSL, which makes the Heartbleed bug possibly one of the riskiest ones the Internet has ever seen. And if the accusation against NSA is indeed true, it must have allowed the agency to access the information of millions of users.
The Bloomberg report, citing two unnamed sources “familiar with the matter,” said that NSA staff picked up on the Heartbleed flaw shortly after the code was published. Accusing the agency of exploiting the deadly bug, Bloomberg stated:
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.
"Given the scale of Heartbleed, deciding to exploit this vulnerability rather than fix it makes a mockery of any claims that the NSA defends the networks of the USA," an employee on the security team of a major Internet company, who asked not to be named, told Mashable.
However, NSA late Friday denied knowing about the Heartbleed bug in a brief statement on Twitter:
Statement: NSA was not aware of the recently identified Heartbleed vulnerability until it was made public.
Meanwhile, White House spokeswoman Caitlin Hayden said Friday the Bloomberg report is "wrong."
"The federal government was not aware of the recently identified vulnerability in [the encryption software] OpenSSL until it was made public in a private-sector cybersecurity report," she said.
"This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet. If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
Wall Street Journal cybersecurity and hacker reporter Danny Yadron had this to say on the denials:
NSA, White House and DNI now have on record statements denying Bloomberg story. They don"t do that for Snowden stories...
Atlantic correspondent tweeted:
If this story holds up http://bloom.bg/1hyNyCi , of NSA knowingly using Heartbleed bug, time for firings and a lot more.
* Other links embedded in the report