Apple and Android users vulnerable to 'FREAK' security flaw

A security flaw from the past has been rediscovered leaving some companies rushing to patch it. The flaw called FREAK is decades old and leaves Apple and Android users at potential risk from hackers. The ironic thing about this is that the users became vulnerable only when they visited Web sites deemed secure...like Whitehouse.gov, NSA.gov and FBI.gov for instance.

According to the Washington Post, the flaw resulted from a former U.S. government policy that forbade the export of strong encryption and required that weaker “export-grade” products be shipped to customers in other countries, say the researchers who discovered the problem. These restrictions were lifted in the late 1990s, but the weaker encryption got baked into widely used software that proliferated around the world and back into the United States, apparently unnoticed until this year.

Researchers discovered in recent weeks that they could force browsers to use the weaker encryption, then crack it over the course of just a few hours. Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the Web sites themselves by taking over elements on a page, such as a Facebook “Like” button.

“This is basically a zombie from the 90s," Nadia Heninger, a University of Pennsylvania cryptographer, told the Post "I don’t think anybody really realized anybody was still supporting these export suites.”

An Apple spokesperson told Mashable that a fix for iOS and OS X would be available through software updates next week. Google is is encouraging all websites to disable support for the export certificates, a spokesperson for the search giant said. The company has also "developed a patch to protect Android's connection to sites that do expose export certs and that patch has been provided to partners."