Millions
of people may have been left vulnerable to hackers while surfing the
web on Apple and Google devices, thanks to a newly discovered security
flaw known as “FREAK attack.”
There’s
no evidence so far that any hackers have exploited the weakness, which
companies are now moving to repair. Researchers blame the problem on an
old government policy, abandoned over a decade ago, which required U.S.
software makers to use weaker security in encryption programs sold
overseas due to national security concerns.
Many
popular websites and some Internet browsers continued to accept the
weaker software, or can be tricked into using it, according to experts
at several research institutions who reported their findings Tuesday.
They said that could make it easier for hackers to break the encryption
that’s supposed to prevent digital eavesdropping when a visitor types
sensitive information into a website.
About
a third of all encrypted websites were vulnerable as of Tuesday,
including sites operated by American Express, Groupon, Kohl’s, Marriott
and some government agencies, the researchers said. University of
Michigan computer scientist Zakir Durumeric said the vulnerability
affects Apple web browsers and the browser built into Google’s Android
software, but not Google’s Chrome browser or current browsers from
Microsoft or Firefox-maker Mozilla.
Apple
Inc. and Google Inc. both said Tuesday they have created software
updates to fix the “FREAK attack” flaw, which derives its name from an
acronym of technical terms. Apple said its fix will be available next
week and Google said it has provided an update to device makers and
wireless carriers.
A
number of commercial website operators are also taking corrective
action after being notified privately in recent weeks, said Matthew
Green, a computer security researcher at Johns Hopkins University.
But
some experts said the problem shows the danger of government policies
that require any weakening of encryption code, even to help fight crime
or threats to national security. They warned those policies could
inadvertently provide access to hackers.
“This
was a policy decision made 20 years ago and it’s now coming back to
bite us,” said Edward Felten, a professor of computer science and public
affairs at Princeton, referring to the old restrictions on exporting
encryption code.
Posted by : Gizmeon
No comments:
Post a Comment