An old software flaw is giving Apple and Google new headaches. Browsers on some Android and iOS devices are susceptible to the “Factoring attack on RSA-EXPORT Keys” exploit known as FREAK. Both companies have developed fixes for the problem, but those fixes haven’t reached users yet.
The issue stems from an old U.S. government policy related to encryption. Spy agencies were worried about strong encryption (so not much has changed), particularly from foreign computers. So, weaker encryption was required until the late 1990s. But the old encryption ended up in some software, especially outside the U.S., and ended up being included in browsers on certain Android and Apple devices. And now, more than a decade later, it’s undermining security for U.S. citizens.
Researchers discovered that hackers could direct the browser to use the old encryption, which is easy to hack. At that point, your personal information is in jeopardy. The researchers also found that hackers could end up tricking users into clicking buttons on otherwise trustworthy websites that could lead a user to malware. Among those sites that could suffer from this were NSA.gov and Whitehouse.gov, according to The Washington Post.
Apple plans to release an update next week that will remove the FREAK threat from its Safari browser, which is on both mobile devices and computers. Google, on the other hand, has already sent a fix for its Android browser to partner companies. Although Google hasn’t said who they are specifically, it’s fair to guess that the fix will flow through mobile carriers as part of typical updates.