updated 10:43 am EDT, Sat April 12, 2014
Agency claims it didn't know of flaw until public disclosure
As reports of the severity of the Heartbleed OpenSSL bug has spread, so have the rumors. A report from Bloomberg has claimed that the US National Security Agency exploited the flaw for years. In its own defense, the NSA issued an unusually specific statement saying that not only did it not use the exploit, but it didn't even know about it until news of it went public a few days ago.
According to the report, two sources close to the matter claimed that the NSA found out about the bug in 2012 when the code changes were first committed, and had been using it in secret since then, keeping it under wraps as a matter of national security.
Heartbleed appears in the widely-available OpenSSL version 1.0.1, as well as the beta of 1.0.2, with the former version being used in a large proportion of servers. The affects of the bug are varied and wide-ranging, with ZDNet reporting it as allowing attackers to potentially reveal credit card details in a transaction over HTTPS, normally considered secure.
The severity of the issue potentially allows for the SSL keys to be used to enter a server without leaving any sign of an intrusion. The Heartbleed site dedicated to the bug, created by Codenomicon Defensics, describes Heartbleed as allowing attackers to potentially "eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users."
Apple was unaffected by the bug. Yahoo, Gmail, and Amazon Web Services were all affected by it, which could have been the basis of the initial email surveillance reports leaked by Edward Snowden in 2013. The Bloomberg report suggests that the NSA has a database of exploits similar to Heartbleed hundreds of items long.
The governing body of the NSA, the National Security Council issued an oddly adamant denial regarding it. In its statement, the council claims that "reports that NSA, or any other part of the government, were aware of the so-called Heartbleed vulnerability before April 2014 are wrong." The statement goes on to say that "if the Federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL." The NSA does not usually couch its statements or denials in such direct and unequivocal language.