The US National Security Agency (NSA) knew of the Heartbleed flaw in the widely used OpenSSL security tool and exploited it for year – instead of blowing the whistle so that the patch could be flawed.
Indeed, according to sources, the discredited security agency knew of the flaw for two years and used it to gather intelligence by obtaining passwords and, therefore, access to people’s email and other personal information.
The basic memory management flaw in the OpenSSL open-source encryption software exposes information to users that they shouldn’t be able to see. Among the devices exposed by the flaw are millions of users of Android smartphones and tablet computers, as well as the networking equipment produced by both Cisco Systems and Juniper Networks – the two biggest makers of internet hardware in the world.
Because OpenSSL is deeply embedded within the Cisco and Juniper hardware, the makers have warned that it could take some time before they can offer comprehensive patches.
The NSA claims come from unnamed insiders quoted by newswire Bloomberg. They indicate that the organisation uncovered the flaw early on and, instead of notifying the open source organisation responsible for OpenSSL chose to exploit it instead.
While the OpenSSL open-source software project is maintained by a team of just four coders based in Europe, the NSA employs more than 1,000 top staff whose job it is to find flaws in such code – and then exploit them on behalf of US intelligence.
The revelation that the flaw was uncovered and used by the NSA for at least two years means that questions remain over whether other organisations also discovered the security flaw – and exploited it for their own ends too.
Bloomberg points out that if cyber criminals had uncovered the flaw, they could potentially have got access to passwords for online banks accounts, ecommerce sites and email accounts.