Researchers have discovered a nasty bug that has been around since the 1990s. Dubbed “FREAK” for Factoring attack on RSA-EXPORT Keys, the security flaw allows hackers to conduct a “man-in-the-middle” attack and decrypt encrypted messages. The flaw affects Apple’s, Google’s, and other devices that use unpatched OpenSSL, reports the Washington Post.
As the researchers point out, the whole thing starts with the US government’s prohibition of shipping any products overseas containing strong encryption. These restrictions allowed “export-grade” (aka weak and breakable) encryption.
The aforementioned restrictions were lifted around 1999, but for some reason these export-grade encryption modes left many Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure websites such as Whitehouse.gov, NSA.gov, and FBI.gov.
Following the FREAK attack report, researchers put together a list of websites that accepted the now obsolete encryption request. The list includes banking, retails sites, as well as US government sites.
Speaking with Reuters and the Washington Post, Apple spokeswoman Trudy Miller said Apple is aware of the vulnerability and is working on a fix.
In recent days, FBI.gov and Whitehouse.gov have been fixed, though NSA.gov remains vulnerable, said Matthew D. Green, a Johns Hopkins cryptographer who helped investigate the encryption flaw. Apple is preparing a security patch that will be in place next week for both its computers and its mobile devices, said company spokeswoman Trudy Miller.
While the Washington Post report said Google Chrome is not vulnerable to the FREAK bug, when visiting the freakattack.com website – the one containing the list of vulnerable sites – I was welcomed by the following warning:
Warning! Your client is vulnerable to CVE-2015-0204. Even though your client doesn’t offer any RSA EXPORT suites, it can still be tricked into using one of them. We encourage you to upgrade your client.
Google has already issued a patch (for desktop users), so all you have to do is download the latest update, and you are good to go. We’re still waiting for Apple to push out the fix for Safari.