The US National Security Agency (NSA) has denied prior knowledge of the Heartbleed flaw in the widely used OpenSSL security tool, after reports suggested it had exploited the software for a year.
OpenSSL, an open-source software tool used to encrypt data such as passwords, is deployed by about two-thirds of all websites. The NSA was accused of using the glitch to obtain passwords in order to access people’s email logins and other personal information.
The NSA claims came from unnamed insiders quoted by newswire Bloomberg. They indicated that the organisation uncovered the flaw early on and, instead of notifying the open source organisation responsible for OpenSSL, chose to exploit it instead.
The flaw within the software has existed for over two years, but the NSA has now denied that it had any knowledge of it.
“[The] NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cyber security report,” NSA spokeswoman Vanee Vines told the BBC via email.
“Reports that say otherwise are wrong,” she said in reference to the Bloomberg report.
A White House official also denied the US government was aware of the bug.
“Reports that the NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong,” a White House national security spokesperson said.
“This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable internet.
“If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL,” she added.
Other organisations may also have discovered the security flaw – and exploited it for their own ends too.
Bloomberg points out that if cyber criminals had uncovered the flaw, they could potentially have got access to passwords for online bank accounts, e-commerce sites and email accounts.