WASHINGTON — The Obama administration denied Friday that the National Security Agency or other parts of the federal government had known about the Heartbleed security vulnerability that has created widespread fears that passwords and other sensitive information belonging to millions of Internet users may have been revealed over the past two years.
The White House was responding to a report by Bloomberg News citing two unidentified sources who said that the NSA had known about the flaw and “regularly used it to gather critical intelligence.” Outside experts expressed strong doubts about the report, noting that the information that could be gleaned from the Heartbleed bug was somewhat random, meaning that it probably would be a clumsy intelligence tool.
The suspicions about the NSA were fueled by the fact that the agency regularly seeks out similar security flaws and turns some of them into cyberweapons. But Caitlin Hayden, the spokeswoman for the National Security Council, said in a statement: “Reports that N.S.A. or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong. The federal government was not aware of the recently identified vulnerability in OpenSSL” — the freely available encryption methodology — “until it was made public in a private sector cybersecurity report.”
The vulnerability was discovered by Finnish researchers and a researcher at Google. But, so far, there is no evidence that anyone used it to hack into personal or secret data.
For days, government officials have said nothing about what they knew, or did not know, about Heartbleed. But as the Bloomberg report began to race around the Internet, the White House, the NSA and the office of the director of national intelligence determined that they could not remain silent.
Since the Heartbleed bug was first publicized Monday, some security researchers and cryptographers have questioned whether the bug served as the basis for the NSA’s Bullrun program, its decade-long effort to crack or circumvent encryption on the web.
But the Heartbleed bug was introduced in some code by a German programmer in March 2012, two years after the agency made a major encryption breakthrough under the Bullrun program, according to classified documents released by former NSA contractor Edward J. Snowden.
Security researchers also note that the Heartbleed bug allows hackers to pull out data only in 64-kilobyte increments, making it less feasible that it would be used for wide-scale espionage.
Initially, some security experts questioned whether it could be used to extract the private encryption keys to unscramble messages stored on a server in the past, or potentially in the future. But Friday, a group of security experts at CloudFlare, the Silicon Valley Internet firm, said that in tests this week, they were not able to extract any private key data from a vulnerable server using the Heartbleed bug.
“Note that is not the same as saying it is impossible to use Heartbleed to get private keys,” Nick Sullivan, a security engineer at CloudFlare, wrote in a company report. “However, if it is possible, it is at minimum very hard.”
James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said that the claim that the NSA knew about the Heartbleed bug and stockpiled it for its own purposes was not in keeping with the agency’s policy.
“In this case, it would be weird for the NSA to let this one go if they thought there was such a widespread risk,” he said.