Tech companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure Web sites including Whitehouse.gov, NSA.gov and FBI.gov. All credits to the newly discovered security flaw known as ‘FREAK attack.’
So far, there is no evidence that any hackers have exploited the weakness, which companies are moving to repair. Reports suggest, that the flaw resulted from a former U.S government policy that forbade the export of strong encryption and required the weaker ‘export-grade’ products be shipped to customers in other countries.
Many popular websites and some internet browsers continued to accept the weaker software, or can be tricked into using it, according to the experts at several research institutions who reported their findings Tuesday. They said that could make it easier for hackers to break the encryption that’s supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.
Researchers found in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web site themselves by taking over elements on a page, such as Facebook ‘Like’ button.
University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple web browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla.
Apple Inc and Google Inc. both said they have created software updates to fix the ‘FREAK attack’ flaw, which has been dubbed for Factoring attack on RSA-EXPORT Keys. The companies have promised that the problem would be fixed in the coming week and their users would be updated with the same. Google said it has provided an update to device makers and wireless carriers.
Number of commercial website operators are taking counteractive actions to resolve the problem after being notified privately, said Matthew Green, a computer security researcher at Johns Hopkins University.
However, some experts say that measures to weaken security would only add on the complexity that hackers can exploit. It is like adding fuel to fire, they say. The problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned those policies could inadvertently provide access to hackers.
“This was a policy decision made 20 years ago and it’s now coming back to bite us,” said Edward Felten, a professor of computer science and public affairs at Princeton, referring to the old restrictions on exporting encryption code.