Heartbleed bug has been exploited by NSA since it was discovered, say sources

14 Apr 2014

The Heartbleed bug that has only recently made it into mainstream news had been exploited by the US’ National Security Agency (NSA) for more than two years, according to sources within the NSA.

In a report published by Bloomberg, the American government had been using the bug to gather personal data from selected computers and suppressed knowledge of the bug being made public so as to keep up surveillance operations.

However, the NSA followed up the accusations with a brief statement, declaring it was only made aware of Heartbleed at the same times as everyone else, when Finnish cybersecurity company Codenomicon publicised the vulnerability via a report earlier this month.

“Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before 2014 are wrong … If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” said the NSA statement.

The bug is considered one of the biggest security issues found on the internet in recent years, known to affect more than two-thirds of the websites that use the OpenSSL encryption software.

The bug has since been addressed by most of the largest sites on the web, such as Gmail and Yahoo!, but many other smaller websites may still be affected that haven’t installed the required patch.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com