Advertisement

‘FREAK’ security flaw left Android, Apple users vulnerable to hackers

Ethical hackers say government regulations put information at risk
. Nico De Pasquale Photography/Flickr

TORONTO – Apple and Google are working on a fix for a decades-old security flaw that left users vulnerable to hackers when visiting supposedly secure websites.

The security vulnerability – called FREAK – would have allowed hackers to spy on Android and Apple users by breaking the secure connection between their device’s web browser and websites, including government-run sites like Whitehouse.gov, FBI.gov and NSA.gov.

The flaw affected thousands of websites, leaving users of Apple’s Safari browser (on both mobile devices and Mac computers) and Android’s default browser at risk.

Google Chrome, Microsoft’s Internet Explorer and Mozilla’s Firefox browsers were reportedly not affected.

FREAK was the result of a former U.S. government policy that required U.S. software-makers to use weaker security in encryption programs sold overseas.

“The flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker ‘export-grade’ products be shipped to customers in other countries, say the researchers who discovered the problem,” reads a report by The Washington Post.

Story continues below advertisement

“These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.”

A team of security researchers recently discovered that many websites can still be tricked into accepting the weaker software, allowing hackers to break encryption that’s supposed to prevent digital eavesdropping.

Currently, there’s no evidence any hackers have exploited the weakness, which companies are working to repair. However, if a hacker were to have exploited the flaw, they would have been able to see user’s sensitive information including passwords and credit card information.

Researchers published a list of affected websites, which includes banking, retail and banking websites. However, according to researchers, under 10 per cent of the Internet’s top million websites are vulnerable – down from 12 per cent earlier this week – which means administrators are moving quickly to fix the flaw.

Apple is working on a security patch that will fix the vulnerability in both iOS and Mac devices. The patch will be available to users next week.

Google has also developed a patch to fix the flaw and provided it to Android smartphone makers to deploy to users.