Report: NSA Knew About Heartbleed Bug for 2 Years and Said Nothing

What's This?

The NSA headquarters in Fort Meade, Md., on June 6, 2013.

Image: Patrick Semansky/Associated Press

By Lorenzo Franceschi-Bicchierai2014-04-11 20:09:38 UTC

The NSA knew about the Internet security bug Heartbleed and regularly used it to gather intelligence for at least two years, anonymous sources told Bloomberg.

If true, the NSA could have collected information like passwords and private communications from hundreds of thousands of websites, since Heartbleed is a bug in the popular open-source encryption software OpenSSL, used to secure data flowing from users' computers to hundreds of thousands of websites, including Gmail and Facebook. Almost two-thirds of all sites on the Internet use OpenSSL, according to estimates, making this bug possibly one of the most dangerous the Internet has ever seen and potentially allowing the NSA to access information on millions of users.

See also: The Heartbleed Hit List: The Passwords You Need to Change Right Now

But by not alerting anyone to the bug, the NSA could have left the door open for other intelligence agencies across the world to exploit Heartbleed, provided they found the bug. This revelation also seems to contradict one of the NSA's core missions, which is protecting and defending American cybersecurity.

"Given the scale of Heartbleed, deciding to exploit this vulnerability rather than fix it, makes a mockery of any claims that the NSA defends the networks of the U.S.A.," an employee on the security team of a major Internet company, who asked not to be named, told Mashable.

Mashable asked an NSA spokesperson on Wednesday whether it had known about Heartbleed or whether it could comment on the bug. "We'll defer to DHS [Department of Homeland Security]," the spokesperson responded.

We also reached out to the Department of Homeland Security but haven't heard back yet. We will continue to update this story as we get more information.

Despite the outrage, this revelation doesn't come as a complete surprise for many. Over the past few days, some have already speculated whether the NSA used Heartbleed to breach SSL, since documents leaked by Edward Snowden revealed the spy agency has been trying to breach it for years.

"It would not at all surprise me if the NSA had discovered this long before the rest of us had," Matt Blaze, a cryptographer and computer security professor at the University of Pennsylvania, told Wired . "It’s certainly something that the NSA would find extremely useful in their arsenal."

Have something to add to this story? Share it in the comments.

Topics: heartbleed, Heartbleed Bug, NSA, privacy, surveillance, U.S., US & World, World