Security experts have uncovered an encryption flaw that originated in the 1990s but is still leaving users of Apple and Google devices vulnerable when they visit any number of government websites, The Washington Post reported.
The security hole, dubbed “FREAK,” can be traced back to a government decision two decades ago to export weak encryption standards. The government reversed its decision in the late 90s and the standard was thought to be outdated.
{mosads}But fallible encryption was already baked into software around the world. That software eventually made its way back to the United States.
Security researchers have now discovered that they can crack Internet browsers using this lowered encryption standard in just a few hours. A hacker could use this flaw to steal passwords and personal data, and even launch cyberattacks on websites.
More disturbingly, researchers found that more than a quarter of encrypted websites — which includes most major social media sites, email services and government sites — fell victim to attacks using the “FREAK” flaw.
“We thought of course people stopped using it,” Karthikeyan Bhargavan, a researcher at the French computer science lab INRIA, told The Post. Bhargavan’s team initially discovered the problem.
Matthew Green, a Johns Hopkins cryptographer who also helped uncover the vulnerability, said in a blog post the government had fixed FBI.gov and Whitehouse.gov, but that NSA.gov remained open to an attacking through “FREAK.”
Apple said is working on a security patch it expects to release next week. Google has not yet announced its plans for a patch.