Cyber-security sleuths have recently discovered a widespread vulnerability in Apple’s Safari and Google’s Android web browsers which has left users exposed since the ’90s.
The vulnerability comes as a result of the United States government preventing the overseas shipment of any products containing strong encryption, essentially creating an “export-grade” encryption standard which has subsequently left a gaping hole in the security of a various products which utilize export-grade encryption.
While the exploit was discovered on March 3, 2015, CNET reported that the flaw became apparent a few weeks ago when a group of researchers realized that they could force websites to use the weakened encryption, which could be cracked in a matter of just a few hours.
Once attackers have broken the encryption, they can then sniff otherwise secure traffic between the client’s web browser and the website it was communicating with; effectively a hi-tech means of eavesdropping on Internet connections. Ultimately, such an attack would allow hackers to sift through the data, exposing passwords while also allowing them to hijack elements of web-pages.
The “FREAK attack” pertains to a new SSL/TLS vulnerability which allows attackers to intercept otherwise secure HTTPS connections between vulnerable clients and servers, forcing them to utilize export-grade cryptography which can be decrypted or altered, according to the researchers.
If the server accepts RSA_EXPORT cipher suites and the clients either offers the same cipher suites or a vulnerable version of OpenSLL, then the connection is deemed vulnerable.
Vulnerable clients include a large number of embedded systems, a number of software products utilizing TLS behind the scenes that haven’t disabled the vulnerable cryptographic suites, and Google as well as Apple devices which use unpatched OpenSSL.
The vulnerability was originally discovered by Karthikeyan Bhargavan at the INRIA in Paris.
The report indicated that 9.7 percent of Alexa’s top one-million domains are vulnerable on the server side, which is down from 12.2 percent.
Tech Crunch reported that an Apple spokesperson had said in writing that the company has “a fix in iOS and OS X” which will be made available “next week.”
In essence, to reiterate for those who don’t quite understand, hackers are capable of forcing victim’s web browsers to utilize old encryption ciphers which are easily decrypted, leaving the victim’s connections susceptible to hijacking and sniffing.
Are you concerned you’ll get hacked as a result of this recently discovered vulnerability?