Cryptographers have discovered that a security flaw dating back to the ’90s is placing Android, iOS and Mac users at risk from hacking attacks when visiting some major websites, including American Express, Airtel, Bloomberg, Business Insider, Groupon, Marriott and many more.
The FREAK exploit allows an attacker to force a website to use lower-grade encryption for HTTPS connections, which can be cracked within a few hours when using a small botnet of just 75 computers. Once cracked, attackers would be able to hack the website as well as steal personal data from those visiting the site …
The weakness exists because of a U.S. government policy dating back to the 1990s, reports the Washington Post.
The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.
FREAK is an acronym for the method of attack: Factoring RSA-EXPORT Keys. Any browser using an unpatched version of OpenSSL is at risk, which includes Android Browser, the default web browser on Android devices.
Ironically, the FBI, White House and NSA sites were all vulnerable, though Re/code reports that the former two have since been fixed. The list of top-ranking sites vulnerable to to the exploit is extensive. You can check whether any sites you visit are at risk by searching the complete domain list.
Both Google and Apple have developed fixes for the issue, reports Re/code. While Apple has said that the fix will be pushed to its devices next week, Google does not have control over when its own fix will reach Android devices.
Google spokeswoman Liz Markman said the company had also developed a patch, which it has provided to partners. She declined to say when users could expect to receive those upgrades. Google typically does not directly push out Android software updates. Instead they are handled by device makers and mobile carriers.
It’s not known whether any bad guys have exploited the weakness, so the risk is probably low, but you may want to switch from Android Browser to Chrome for Mobile on your Android devices, as this is not vulnerable to the attack.