Not only did the NSA know about the Heartbleed internet bug—found to have exposed the sensitive information of countless web users—but they exploited it for their own intelligence gathering purposes for years, sources charge.
Bloomberg News reported late Friday that the agency found Heartbleed shortly after its introduction in early 2012, according to a person “familiar with the matter,” and rather than reporting or repairing the flaw, the NSA adopted it as “a basic part of they agency’s toolkit for stealing account passwords and other common tasks.”
Heartbleed, believed to be one of the biggest flaws in the Internet’s history, is a vulnerability in OpenSSL protocol, which is used to encrypt communications between users and websites. The bug makes those supposedly secure sites an “open book,” Bloomberg explains. The existence of Heartbleed was first made public on April 7.
By adding Heartbleed to their arsenal—as a means of obtaining passwords and other secure information—critics say the agency not only furthered their own controversial practice of stockpiling user information but they left vulnerable millions of users against outside attack.
After the allegations surfaced, the White House denied that they knew about Heartbleed prior to April 2012.
Regardless, Bloomberg’s sources note that, in addition to Heartbleed, the NSA currently “has a trove of thousands of such vulnerabilities that can be used to breach some of the world’s most sensitive computers.”
The incident highlights what many are saying are the “fundamentally incompatible” dual missions of the agency: securing cyber-infrastructure and gathering foreign intelligence.
SCROLL TO CONTINUE WITH CONTENT