The National Security Agency knew about the Heartbleed internet security bug for at least two years and not only said nothing, but exploited it, according to anonymous sources speaking to Bloomberg.
Bloomberg reports the agency discovered the glitch shortly after its introduction and it “became a basic part of the agency’s toolkit for stealing account passwords and other common tasks.”
The bug, which affects the open-source OpenSSL encryption software used by hundreds of thousands of websites, was another means by which the NSA could obtain passwords and other private data.
The NSA’s decision to keep the bug a secret in the interest of national security has upset critics, reinvigorating the debate over privacy concerns and the agency’s secrecy.
Critics in the computer world claim the move further damages the NSA’s credibility, as they potentially left the bug open not just for hackers and criminals, but for foreign intelligence agencies to exploit.
Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council and a former U.S. Air Force cyber officer, said, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”
"Given the scale of Heartbleed, deciding to exploit this vulnerability rather than fix it, makes a mockery of any claims that the NSA defends the networks of the U.S.A.," one online security professional told Mashable.
Within hours of Bloomberg's report, the NSA and the White House denied the agency knew about the Heartbleed bug.
"If the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," White House National Security Council Spokesperson Caitlin Hayden said in a statement.