NSA knew about, exploited Heartbleed bug to gather intelligence: Report

FILE. RCMP are warning parents about the danger of some online apps. File/Getty Images

UPDATE (April 11, 10:00 p.m.): The White House and U.S. intelligence agencies have both denied claims that the U.S. National Security Agency was aware of and exploiting the Heartbleed bug bug before it was made public this week.

The White House, the NSA and the Office of the Director of National Intelligence issued statements Friday after Bloomberg reported the NSA was aware of the security vulnerability and kept it secret in the interest of national security.

TORONTO – The U.S. National Security Agency knew about and exploited an online encryption flaw now known as the to gather critical intelligence, according to a new media report.

According to a report published Friday by Bloomberg, the NSA decided to keep the major security flaw a secret in the interest of national security.

Breaking news from Canada and around the world sent to your email, as it happens.

The report, which cites two people familiar with the matter, alleges that by exploiting the security flaw the NSA would have been able to obtain passwords and other user data that “are the building blocks of the sophisticated hacking operations at the core of its mission.”

Story continues below advertisement

The Heartbleed flaw affects OpenSSL – a widely used open-source set of libraries for encrypting online services.

Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and “https:” on Web browsers to show that traffic is secure. The flaw makes it possible to snoop on Internet traffic even if the padlock is closed, leaving users’ information unsecure.

Security experts have called it one of the biggest security threats the Internet has ever faced.

READ MORE: Heartbleed bug: What’s affected and what passwords you need to change

Since the bug was revealed on Monday some have speculated that the NSA and other intelligence agencies may have known about and been exploiting the flaw for cyber surveillance.

On Friday Robin Seggelmann, the developer who admitted to writing the line of code that contained the flaw denied reports that he placed it there intentionally, telling the Sydney Morning Herald the flaw was “unfortunately missed” by both himself and a reviewer when it was added to OpenSSL over two years ago.

READ MORE: Meet the man who broke the Internet

According to the report, Seggelmann said it was “tempting” to assume he had placed the bug deliberately after Edward Snowden’s revelations of the cyber surveillance conducted by the NSA, which made headlines in June.


Sponsored content