Cryptographers have discovered that a security flaw dating back to the ’90s is placing OS X, iOS and Android users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.
The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site …
The weakness exists because of a U.S. government policy dating back to the 1990s, reports the Washington Post.
The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
FREAK is an acronym for the method of attack: Factoring RSA-EXPORT Keys. Any browser using an unpatched version of OpenSSL is at risk, which includes Safari on both Mac and iOS.
Ironically, the FBI, White House and NSA sites were all vulnerable, though Re/code reports that the former two have since been fixed. The list of top-ranking sites vulnerable to to the exploit is extensive. You can check whether any sites you visit are at risk by searching the complete domain list.
Apple is aware of the issue, and has told Re/code that a fix will be pushed next week.
Apple spokesman Ryan James said the company had developed a software update to remediate the vulnerability, and it will be pushed out next week.
It’s not known whether any bad guys have exploited the weakness, so the risk is probably low, but you may want to at least check any websites you use for financial transactions or other sensitive activities.
FTC: We use income earning auto affiliate links. More.