Hackers and security experts make a living from sourcing bugs and vulnerabilities with our everyday software, but while the aim of the game is to find and patch these bugs as swiftly as possible, some lie dormant for many years before being discovered. Case in point: a long-standing flaw affecting both Google and Apple software has just been highlighted, leaving users vulnerable to attack when visiting a number of apparently secure websites including Whitehouse.gov, NSA.gov and FBI.gov.
The browser-based ‘FREAK’ bug, which gets its name from Factoring attack on RSA-EXPORT Keys, dates back more than a decade. It is based upon an old U.S. government policy that basically forbade the exporting of strong encryption, meaning that international consumers were shipped products of weakened, “export-grade” encryption. While the antiquated policy is no longer enforced, the weaker encryption is still floating about, and left untreated, could easily be used for unscrupulous ends by opportunistic hackers.
Once intruded, passwords and personal information could be readily extracted, but worryingly, there’s also scope for what full-scale Web attacks that could potentially take over entire elements on a page.
There’s something of an irony that a site like the NSA’s is among those that could expose such a vulnerability. The agency’s tactics have been the subject of much debate in recent times, with surveillance being more ubiquitous than many of us had imagined. Indeed, while various government entities have sought to spy on folk through purpose-built backdoor vulnerabilities in the past, these systems are inherently flawed in that where there’s room for “legitimate” access, any hacker with the appropriate nous can also utilize these systems for less savory enterprises.
Apple is already working on a fix, and has said that a security patch will arrive at some point in the next few days. Google, meanwhile, has yet to pass comment on the matter, although it should be noted that its Chrome browser is not susceptible in this instance. The default Android browser is, however, so if you are running the Big G’s mobile software, you are advised to switch to Chrome; a far superior browsing experience over stock, FREAK security bug or not.
What’s your take on the matter? Share your thoughts with us in the comments section below.