The Obama administration denied Friday that the National Security Agency or other parts of the federal government had known about the Heartbleed security vulnerability that has created widespread fears that passwords and other sensitive information belonging to millions of Internet users may have been revealed over the past two years.
The White House was responding to a report by Bloomberg News citing two unidentified sources who said that the N.S.A. had known about the flaw and “regularly used it to gather critical intelligence.” Outside experts expressed strong doubts about the report, noting that the information that could be gleaned from the Heartbleed bug was somewhat random, meaning it probably would be a clumsy intelligence tool.
The suspicions about the N.S.A. were fueled by the fact that the agency regularly seeks out similar security flaws, and turns some of them into cyberweapons. But Caitlin Hayden, the spokeswoman for the National Security Council, said in a statement: “Reports that N.S.A. or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The federal government was not aware of the recently identified vulnerability in OpenSSL” — the freely available encryption methodology — “until it was made public in a private sector cybersecurity report.”
The vulnerability was discovered by Finnish researchers and a researcher at Google. But, so far, there is no evidence that anyone used it to hack into personal or secret data.
For days, government officials have said nothing about what they knew, or did not know, about Heartbleed. But as the Bloomberg report began to race around the Internet, the White House, the National Security Agency and the office of the director of national intelligence determined that they could not remain silent.
Since the Heartbleed bug was first publicized on Monday, some security researchers and cryptographers have questioned whether the bug served as the basis for the National Security Agency’s Bullrun program, its decade-long effort to crack or circumvent encryption on the web.