The Washington PostDemocracy Dies in Darkness

The NSA denies it knew of the Heartbleed bug

(Trevor Paglen /The Intercept)
Placeholder while article actions load

The NSA is disavowing its knowledge of the Heartbleed security vulnerability after a Bloomberg report suggested that the spy agency had exploited it for at least two years.

“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. "Reports that say otherwise are wrong.”

The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014.

"If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," said National Security Council spokesperson Caitlin Hayden.

The denials are unusually forceful for an agency that has historically deployed evasive language when referring to its intelligence programs.

According to two anonymous sources cited by Bloomberg News, the NSA knew for "at least two years" that it could use the Heartbleed vulnerability to steal passwords and other sensitive information from unwitting Internet users. The bug is a result of a flawed update to a widely used security protocol underpinning as much as two-thirds of the Web.

Privacy advocates said Friday that the report, if true, would not be a surprise.

The White House said Friday that when the government uncovers a Heartbleed-like bug, "it is in the national interest" to notify developers — "unless there is a clear national security or law enforcement need."

Previous reports show that the NSA has actively sought out and purchased security flaws in the past to use against intelligence targets. It is unclear whether allies of the United States knew of the Heartbleed bug.