The US National Security Agency has denied it knew about or exploited the Heartbleed security flaw, but government officials have revealed a loophole that would allow such actions.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Researchers have warned that the flaw affects two-thirds of internet sites and could allow attackers to monitor all data exchanged with users.
A White House official also denied that any part of the US government was aware of the bug before it was reported by security researchers at Google and Finnish security firm Codenomicon in April 2014.
But, senior US administration officials have revealed that President Obama has introduced a loophole that the NSA could exploit in future, according to a report in the New York Times.
While Obama has decided that the NSA should go public when it discovers major flaws in Internet security, it does not have to do so in the event of "a clear national security or law enforcement need".
The loophole is likely to allow the NSA to continue to exploit security flaws to crack encryption on the Internet and to design cyber weapons, the paper said.
Whistleblower Edward Snowden has alleged that the NSA deliberately introduced flaws in security software, but a German programmer has accepted responsibility for the Heartbleed bug.
The bug exposes only 64K of data at a time, but a malicious party could theoretically make repeated grabs until they had the information they wanted such as usernames and passwords.
Heartbleed has raised concern because of the large number of products and services that make use of vulnerable versions of OpenSSL and the fact that it can be exploited without a trace.
After casting doubt on the scale of the threat, security firm CloudFare set a challenge to see if anyone could exploit the flaw to obtain the secret SSL keys that would put data at risk.
In response, four researchers working separately demonstrated that a server’s private encryption key can be obtained using the Heartbleed bug, according to a CloudFare blog post.
More on Heartbleed
- Cisco and Juniper warn of products hit by Heartbleed bug
- The Heartbleed genie is out of the bottle – now what?
- EFF calls for rapid mitigation of Heartbleed internet bug
- OpenSSL vulnerability 'Heartbleed' may have exposed encrypted traffic
- OpenSSL security flaw could affect millions of websites, warn researchers
“This result reminds us not to underestimate the power of the crowd and emphasizes the danger posed by this vulnerability,” the blog post said.
Several makers of internet hardware and software have warned that some of their products are affected, including network routers and switches, video conferencing equipment, phone call software, firewalls and remote working applications.
At the weekend, BlackBerry announced that it plans to release security updates for messaging software for Android and iOS devices to address vulnerabilities related to the OpenSSL flaw.
The company said that while most BlackBerry products do not use the vulnerable software, it does need to update its Secure Work Space corporate email and BBM messaging for Android and iOS.
BlackBerry Said these products would be vulnerable to attacks if hackers gain access to these apps through either WiFi connections or carrier networks.
But a company representative said the risk was “extremely small” because BlackBerry's security technology would make it difficult, report the Guardian.
Other suppliers that have rushed to respond to the threat include: Cisco Systems, Hewlett-Packard, International Business Machines, Intel, Juniper Networks, Oracle and Red Hat.