By Edward Cardenas/AP
SOUTHFIELD (CBS Detroit) – A decades-old government policy may have left millions people who access the Internet on Apple and Google vulnerable to hackers through the “FREAK attack” security flaw.
The Associated Press reports that the problem stems from a former government policy which required U.S. software makers to use weaker security in encryption programs sold overseas due to national security concerns.
So far there has been no evidence any hackers exploited the weakness, which the government ended more than a decade ago, the AP reported.
“This was a policy decision made 20 years ago and it’s now coming back to bite us,” said Edward Felten, a professor of computer science and public affairs at Princeton, referring to the old restrictions on exporting encryption code.
A number of websites, along with some Internet browsers, continued to accept the weaker software, or can be tricked into using it, according to experts at several research institutions who reported their findings Tuesday.
Researchers said that the flaw could make it easier for hackers to break the encryption that’s supposed to prevent digital eavesdropping when a visitor types sensitive information into a website.
Nearly one-third of all encrypted websites were vulnerable as of Tuesday, including sites operated by American Express, Groupon, Kohl’s, Marriott and some government agencies, the AP reported.
University of Michigan computer scientist Zakir Durumeric said the vulnerability affects Apple web browsers and the browser built into Google’s Android software, but not Google’s Chrome browser or current browsers from Microsoft or Firefox-maker Mozilla.
Apple Inc. and Google Inc. both said Tuesday they have created software updates to fix the “FREAK attack” flaw, which derives its name from an acronym of technical terms. Apple said its fix will be available next week and Google said it has provided an update to device makers and wireless carriers.
A number of commercial website operators are also taking corrective action after being notified privately in recent weeks, said Matthew Green, a computer security researcher at Johns Hopkins University.
But some experts said the problem shows the danger of government policies that require any weakening of encryption code, even to help fight crime or threats to national security. They warned those policies could inadvertently provide access to hackers.
TM and © Copyright 2015 CBS Radio Inc. and its relevant subsidiaries. CBS RADIO and EYE Logo TM and Copyright 2015 CBS Broadcasting Inc. Used under license. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press contributed to this report.