Skip to main content

NSA: "We didn't exploit Heartbleed for surveillance purposes"

The National Security Agency (NSA) today denied that it has known about the Heartbleed bug for years and used it for surveillance efforts.

"NSA was not aware of the recently identified Heartbleed vulnerability until it was made public," the agency said on its Twitter feed.

The denial came after Bloomberg published a report, citing two people familiar with the matter, that said the NSA knew about Heartbleed for at least two years and "regularly used it to gather critical intelligence."

The news agency said the NSA was able to gather things like passwords and other basic data that travels over the Web.

Heartbleed is a bug within OpenSSL that left encrypted data supposedly protected by the cryptographic software library open to scammers. Its existence was revealed this week by a team of researchers from Google Security and Codenomicon, who said Heartbleed has been in the wild since version 1.0.1 was released in March 2012. A fix just rolled out, but Heartbleed made Web content, emails, instant messaging, and virtual private networks, on about two-thirds of the world's servers, open to hackers.

Though a fix was released, your data is vulnerable until it has been implemented. The only thing you can really do to prevent having your information stolen by scammers exploiting the Heartbleed bug is change your password on affected sites. But again, don't do it until that site has rolled out the fix, or you might just be exposing your new password.

The origin of Heartbleed, meanwhile, can be traced back to a developer who mistakenly introduced it on New Year's Eve 2011. Robin Seggelmann, a programmer based in Germany, submitted the code in an update at 11:50 pm, 31 December, 2011, intending to enable Heartbeat in OpenSSL. But he "missed the necessary validation by an oversight," Seggelmann told The Guardian.