A widespread, long-standing security flaw that allows attackers to decrypt HTTPS-protected traffic between certain device and potentially millions of websites has been uncovered by security researchers, reports Ars Technica.
Christened the FREAK attack (FREAK being an acronym for 'Factoring RSA Export Keys'), researchers discovered that they were able to launch an attack from seemingly secure websites - from US government sites to banks - forcing browsers to use a markedly weaker form of encryption. This weaker 512-bit key could be broken within seven hours, and could cost as little as $100 per website, reckons Ars Technica. Furthermore, it could potentially launch a stronger attack on affected sites by appropriating elements of a page - such as a Like button on Facebook.
The flaw is actually decades in the making, and is an interesting story in its own right, explained by The Washington Post. The troubles today owe to 'export grade encryption' - a deliberately weaker form of encryption baked into products shipped outside of the United States, enforced by the American government. The restrictions were removed in the late 1990s, but the encryption remains a part of software still used to this day: even in products now bought and sold in the United States.
Vulnerable sites include American Express, Bloomberg, Groupon, Marriott, as well as the NSA and FBI websites, but The Guardian adds that so far there is no evidence that the vulnerability has been exploited by hackers. The flaw affects both Safari web browsers and those built into Google's Android software, but not Chrome, or browsers made by Microsoft or Mozilla.
Apple announced that a fix will be available as of next week, while Google stated that their update for device makers and wireless carriers has already been released. Despite this head start, Android devices may take longer to be secured from the vulnerability due to the wide range of manufacturers and carriers. As Forbes puts it: "as Android manufacturers often take their time to issue updates, it may be some time until all Android users are completely safe from FREAK attacks."