It just doesn’t end. Bloomberg is reporting that, according to “two people familiar with the matter,” the NSA has known about the Heartbleed vulnerability for at least two years—and was using it to collect information about people instead of, you know, telling someone about it and getting it fixed.
With millions of websites compromised, people all over the world changing their passwords for protection, the Canadian government suspending electronic tax filing, and people speculating about whether Heartbleed is the “worst vulnerability ever,” this could end up looking pretty bad for the agency. Good thing it already has a sparkly-clean public image, or it might be in trouble.
According to Bloomberg, it doesn’t seem that the NSA created Heartbleed—it just found the bug and used it. An NSA spokesperson declined to comment about the agency’s knowledge or use of Heartbleed. But Jason Healey, director of the Cyber Statecraft Initiative and a former Air Force cyber officer, told Bloomberg, “It flies in the face of the agency’s comments that defense comes first. They are going to be completely shredded by the computer security community for this.”
In early 2012 Heartbleed was mistakenly introduced into the code for OpenSSL, an open-source software component for certain popular types of encryption. It would make sense if the NSA found it soon after, because—in addition to using its influence to weaken new or existing encryption—the agency also spends millions of dollars looking for software vulnerabilities that already exist around the Web, especially in open-source code that is more likely to have inconsistent oversight, and therefore bigger errors.
The big question is: Who else knew about it? If the NSA found it, other international intelligence agencies or criminals could also have been dipping in to the flow of usernames, passwords, and other personal details. But as Bloomberg points out, it took two years for anyone reviewing OpenSSL code to spot it, and there is no evidence so far that hackers found the flaw. The full extent of the damage remains to be seen, though.
The incident raises questions about the NSA, of course, but also about the trust people place in software developers to produce secure code. These questions have lingered in the cybersecurity and cryptography communities for years, but are only now coming to the fore consumers are becoming increasingly aware that their personal privacy is on the line. Settle in, because this won’t be the last news story about the NSA exploiting a vulnerability instead of reporting it.