FREAK Security Flaw From the Past Haunts Apple and Google
Decades' old vulnerability in web browsers is threatening some of the biggest websites, including those of US government.
The vulnerability, dubbed the 'FREAK attack', arouse in the 90s when a certain encryption standard, called export grade encryption, was mandated by the government. These means of encryption were not the best or the strongest but were presumed good enough for security purposes then when access to brute computing power was hard to come by. However given today's computing capabilities, it can fall apart in hours. The continued to be part of browsers ever since it was created and if exploited, can result in massive data pilferage, reports CNET.
According to Tech Crunch, the vulnerability today mainly plagues Google and Apple devices running Safari web browser and other connections using upatched Open SSL.
"Vulnerable clients include many Google and Apple devices (which use unpatched OpenSSL), a large number of embedded systems, and many other software products that use TLS behind the scenes without disabling the vulnerable cryptographic suites," researchers wrote about the attack.
The attack can be exploited when a hacker forces browsers to operate the export grade encryption, opening a vulnerability that can be exploited in a few hours. The researchers were able to undermine encryption of many websites including US government sites.
The FREAK flaw was discovered few weeks ago. The good news is it has not been exploited. Researchers have however named websites which are vulnerable and have suggested administrators should disable all insecure ciphers. Apple has reportedly announced it will release a fix next week.