Update: Microsoft has confirmed the FREAK vulnerability first thought to affect only Apple and Android users also affects all currently supported Windows versions. The company announced a security fix for the exploit is on the way.
Yet another major security flaw has been discovered in the very foundations of the internet, exposing the personal information of millions of users.
The flaw, dubbed FREAK for Factoring attack on RSA-EXPORT Keys, allows a hacker to execute what’s known as a ‘man-in-the-middle’ attack.
By tricking your web browser into using a weaker form of security, a hacker can digitally eavesdrop on your web session and syphon off personal information, account logins and passwords – anything they want, really.
The alarming part is that roughly one-third – ONE-THIRD – of all websites are susceptible to the attack, putting millions of users at risk.
The exploit could also allow hackers to take over elements of a webpage, such as input buttons. For the time being, think wisely before hitting the ‘Like’ button on Facebook.
Are you vulnerable?
If you use an Android or Apple device you are vulnerable to attack, specifically if you use Safari or Android’s built-in website browser.
Google Chrome, Firefox and the current version of Microsoft’s Internet Explorer are believed to be unaffected.
How did this happen?
Blame the US government.
When website code was being developed in the 1990s, US policy restricted the security used by web pages to ensure each site contained a ‘back door’ government agencies could access.
This mainly pertained to export-level technology, to ensure the United States could intercept, or basically spy on, website traffic overseas.
The policy was abandoned about a decade ago and security across the web has been improved, but the flaw, built into the very building blocks of the internet, has remained. The phrase ‘haunted by the ghosts of your past’ springs to mind.
The Washington Post reports that researchers have been able to force modern website browsers to use a weaker form of security encryption, which can then be cracked in a matter of hours.
Think of it this way: the foundations stones upon which we’ve built the internet – a mighty empire of virtual steel and glass towers of information – are made of sand.
It’s unknown to what extent this vulnerability has been exploited by hackers, a fact that is potentially terrifying, but websites that have already been exposed comprise the usual list of high-profile hacking targets, including American government websites for the FBI, NSA and the Whitehouse.
Oh, the irony.
Is there a fix yet?
Apple announced an update fix for OS X and iOS will be available next week. Google has also supplied an update fix for Android to hardware manufacturers and wireless carriers.
How can I protect myself?
Here are a few ways to protect your personal information from a FREAK attack.
• Ensure your device is running the latest operating system. Almost 60 percent of Android users are not using an up-to-date version of Android.
• Until a security update is available for your device, use Google Chrome, Firefox or the latest Internet Explorer browsers.
• Avoid public WiFi. Hackers can use these networks like a driftnet to trawl for personal information.
• Ensure your computer has a firewall enabled and up-to-date virus software. These two security elements can detect intrusions early and help prevent a violation of your system.