A newly discovered security bug has secretly left Safari users on both iOS and OS X vulnerable to attacks on hundreds of thousands of websites for years.
The ‘FREAK’ security flaw was exposed today by a group of nine researchers who discovered web browsers could be forced to use an intentionally-weakened form of encryption. FREAK effects iPhones, Macs, and Android browsers, but Apple’s spokesman says the company will release a fix next week.
Google’s representatives still haven’t commented on the FREAK security flaw, which is a result of U.S. government regulations that banned American companies from exporting the strong encryption standards. The restrictions were lifted in the late 90’s, but the weaker encryption was baked into software that proliferated around the world, and then made it back to the United States.
The bug was dubbed FREAK, for ‘Factoring RSA-EXPORT Keys’ and enables attackers to spy on communications of users with vulnerable software. The flaw went unnoticed for over a decade and left users vulnerable when visiting hundreds of thousands of websites, including Whitehouse.gov, NSA.gov, and FBI.gov.
Once a site was cracked, the researchers found they could steal passwords and other personal info, or launch attacks on the web sites by taking over elements of the page. Researchers found that Whitehouse.gov and FBI.gov have already been fixed, but NSA.gov is still vulnerable.