“FREAK” flaw undermines security for Apple and Google users, researchers discover

Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited hundreds of thousands of supposedly secure Web sites, including Whitehouse.gov, NSA.gov and FBI.gov. The flaw resulted from a former US government policy that once forbid the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until 2015.

Researchers discovered in recent weeks that they could force browsers to use the old export-grade encryption then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button. The existence of the problem with export-grade encryption amazed the researchers, who have dubbed the flaw “FREAK” for Factoring attack on RSA-EXPORT Keys. The keys used in the export-grade encryption had 512 bits, a standard that was considered fairly strong in the 1990s but has been thought unacceptably weak for more than a decade now.