A recently discovered security flaw dubbed “FREAK attack” left millions of users surfing the web on Apple and Google devices vulnerable to hackers. Fortunately, so far there is no evidence that the weakness was exploited, and the affected companies are trying to fix it. In the meantime, researchers point at an old government policy, abandoned more than ten years ago, which forced American software makers to use weaker security in encryption programs sold abroad.
Security experts explained that many popular websites and some Internet browsers were still accepting the weaker software or could be tricked into using it, thus making it easier for hackers to break the encryption preventing digital eavesdropping in cases when you type sensitive information into a website.
So, around 30% of all encrypted websites were vulnerable, including websites operated by Groupon, American Express, Marriott, Kohl’s and some government agencies. The flaw in question affects Apple web browsers and the browser built into Google’s Android software. However, it does not affect Google’s own Chrome browser or up-to-date browsers from Microsoft or Mozilla.
Apple and Google both announced they have developed fixes to the flaw. By the way, “FREAK attack” stands for “Factoring attack on RSA-EXPORT Keys”. In the meantime, some commercial website operators also take action after learning about the vulnerability.
However, some experts pointed out that this case reveals the danger of government policies opting for any weakening of encryption code and thus inadvertently providing access to hackers. In this particular case, the experts blame a policy decision made twenty years ago, referring to the old restrictions on exporting encryption code.