The National Security Agency on Friday denied a report that it has been aware for years of the enormous 'Heartbleed' security flaw affecting millions of websites, but kept the information secret and used it for its own purposes.
Bloomberg, citing unidentified sources, reported Friday that the NSA knew about Heartbleed for two years before the public disclosure of the bug by security researchers last week.
“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report. Reports that say otherwise are wrong," the agency said in a statement to NBC News.
Heartbleed is a flaw in OpenSSL, a piece of code intended to create a secure connection between a server and Web browser — for example, between an online shop and customer. The bug allows an attacker to make the server surrender bits of information out of its memory that should not be accessible. What's more, the exploit leaves no trace.
PAWEL KOPCZYNSKI / Reuters
Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "Heartbleed" bug that exposes data to hackers, at least not until vulnerable websites upgrade their software.
By some estimates Heartbleed puts two-thirds of all websites at risk, and the ease of taking advantage of the bug means no site was safe from attack. That means everything from passwords to credit card numbers to closely-guarded industrial secrets might have been leaked over the last few years to hackers. And there's not a lot consumers can do until the sites fix the problem on their end.
The U.S. government on Friday warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by Heartbleed.
The Bloomberg report said the NSA, by exploiting Heartbleed, was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission.
If the reports were true, they would represent a serious breach of the agency's mission.
"There’s no excuse for leaving Americans and U.S. businesses vulnerable to breaches on this scale," said Julian Waits Sr., CEO of ThreatTrack Security. "They should be helping to shore up vulnerabilities, not exploiting them."
NBC News received a second, stronger statement of denial from the National Security Council, a policy-making group chaired by the President.
"The Federal government relies on OpenSSL to protect the privacy of users of government websites and other online services," the statement read in part. "If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL."
First published April 11 2014, 1:50 PM