Cryptographers have discovered that a security flaw dating back to the ’90s is placing OS X, iOS and Android users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.

The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site … 

The weakness exists because of a U.S. government policy dating back to the 1990s, reports the Washington Post.

The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

FREAK is an acronym for the method of attack: Factoring RSA-EXPORT Keys. Any browser using an unpatched version of OpenSSL is at risk, which includes Safari on both Mac and iOS.

Ironically, the FBI, White House and NSA sites were all vulnerable, though Re/code reports that the former two have since been fixed. The list of top-ranking sites vulnerable to to the exploit is extensive. You can check whether any sites you visit are at risk by searching the complete domain list.

Apple is aware of the issue, and has told Re/code that a fix will be pushed next week.

Apple spokesman Ryan James said the company had developed a software update to remediate the vulnerability, and it will be pushed out next week.

It’s not known whether any bad guys have exploited the weakness, so the risk is probably low, but you may want to at least check any websites you use for financial transactions or other sensitive activities.


FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear