'FREAK' security flaw left Apple, Android users exposed

Apple and Google working on fixes for the decade-old flaw, which researchers blamed on an abandoned US policy on encryption.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read

Browsers and websites were left vulnerable to hacking by an abandoned US encryption policy, researchers say. CNET

Apple and Google are both working on fixes to a decade-old security flaw that could leave millions of users of the tech titans' mobile web browsers vulnerable to hacking.

The newly discovered encryption flaw known as "FREAK attack" left users of Apple's Safari and Google's Android browsers vulnerable to hackers for more than a decade, researchers told the Washington Post. Users of the browsers were vulnerable to having their electronic communications intercepted when visiting any of hundreds of thousands of websites, including Whitehouse.gov, NSA.gov and FBI.gov.

Researchers said there was no evidence hackers had exploited the vulnerability, which they blamed on a former US policy that banned US companies from exporting the strongest encryption standards available, according to the newspaper. The restrictions were lifted in the late 1990s, but the weaker standards were already part of software used widely around the world, including the web browsers.

The vulnerability highlights the unintended dangers posed by policy-mandated encryption standards at a time when US officials have demanded that tech companies provide back doors for smartphones that would allow law enforcement officials to conduct covert surveillance.

Apple and Google said they were creating software updates to address the vulnerability. Apple told CNET that it would distribute its fix next week, while Google told the newspaper it would provide its update to device makers and wireless carriers.

The flaw surfaced a few weeks ago when a group of researchers discovered they could force websites to use the intentionally weakened encryption, which they were able to break within a few hours. Once a site's encryption was cracked, hackers could then steal data such as passwords and hijack elements on the page, the newspaper reported.

Researchers have been alerting affected government and commercial websites for a few weeks in hopes of taking corrected measures before the vulnerability was publicized, the newspaper reported. Whitehouse.gov and FBI.gov have been repaired, but NSA.gov remains vulnerable, researchers told the newspaper.