The National Security Agency knew about — and exploited — a glitch, known as the Heartbleed bug, that may expose sensitive imformation on many websites for at least two years, Bloomberg News reports.
Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations' intelligence arms and criminal hackers.
The Heartbleed bug is a security flaw that may put millions of passwords, credit card numbers, and other personal information at risk. The bug was revealed earlier this week, though the extent of the damage is unknown as the affected websites scramble to fix it.
The NSA's decision to keep the bug secret in pursuit of national security interests threatens to renew the rancorous debate over the role of the government's top computer experts.
“The government should be in the business of protecting citizens and businesses,’’ Julian Waits, CEO of cybersecurity firm ThreatTrack Security, told Boston.com in an email. “They should be helping to shore up vulnerabilities, not exploiting them.’’
After the report came out Friday afternoon, the NSA was quick to deny that it had knowledge of the glitch, the Washington Post reported.
"NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. "Reports that say otherwise are wrong."
The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014.
Despite the denial, the Washington Post story said many privacy advocates wouldn’t be surprised after the NSA was embroiled in scandal last year over its data collection program.