A huge security flaw in some of the world’s most popular internet browsers has left users vulnerable to hacks when visiting millions of websites.
The bug, known as ‘Freak’ (‘Factoring attack on RSA-EXPORT Keys’) has left around 5 million of the 14 million total encrypted websites on the internet vulnerable, researchers said.
The problem -- which is decades old -- is said to affect Apple’s Safari browser, as well as the default browser in Android devices (though not Google Chrome).
The Washington Post reported that it stems from a US government policy to restrict strong encryption from being exported outside in the 1990s. Instead, export-grade encryption was restricted to just 512 bits - a level now considered unacceptably weak.
While those rules were eventually lifted, the weaker standard was left inside lots of widely used software — and has gone unnoticed until now.
The researchers, led by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team, were able to force browsers to use the weaker standard, and then crack it — after which it was relatively trivial to steal data and takeover elements on other websites.
Nadia Heninger, from the University of Pennsylvania, told the Post that the flaw was “basically a zombie from the ‘90s”.
The issue was brought to public attention earlier than the researchers had planned after Akami, a cloud service company, published a blog post about their efforts to combat it. A full list of the servers and sites affected can be read here. Apple and Google are said to be rapidly preparing fixes for the bug - though in the case of the Android browser, it might take many months (if at all) for handset makers to actually deploy the fix for users.