(CNNMoney) — Once upon a time, U.S. law demanded a weak version of website encryption so that it could break in wherever it wanted.
Now that has come back to haunt us, in the form of a nasty computer bug.
Researchers have discovered a flaw — which they call the FREAK bug — that can let a hacker spy on your Internet session and steal your login credentials.
It affects lots of supposedly secure websites, from Symantec.com to NSA.gov. Apple’s Safari browser and some Android Web browsers are vulnerable. (Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer are OK.)
Apple told CNNMoney it plans to have a fix for iPhone and Mac users next week in the form of a software update. Google told the Associated Press that it has provided an update to device makers and wireless carriers.
Kickstarter, WePay, and many other websites that feature Facebook “like” buttons are also vulnerable to this, researchers said.
The issue, explained
Buried somewhere deep inside the code of some Web browsers and websites is an old, weak version of encryption that can easily be cracked. And the only reason it exists is because of bad U.S. policies that have since been abolished.
Back in the 1990s, the federal government restricted the export of powerful data encryption. Computer companies were forced to employ two versions of encryption: weak and strong. But the weak stuff stuck around long after it was no longer needed.
The bug was found late last year by academic security researchers at the French computer science institute INRIA. They’ve been quietly helping Apple and others fix this behind the scenes since November. They dubbed it the FREAK bug, short for “Factoring Related Attack on RSA Keys.”
Akamai, a company that hosts websites with an extra layer of protection, made the bug public on Tuesday. The company said it’s racing to fix the problem for all of its customers.
Bill Brenner, a security writer at Akamai, said the old encryption is so bad that someone could take advantage of the flaw with as little as $100 and a few hours.
Karthikeyan Bhargavan, a computer scientist who led the team that discovered FREAK, said there was no good reason this weak security feature was still around.
“Why is it still in there? God knows,” he said. “Features just grow in software products. People just kept adding more features, and they didn’t take the time to clean out the old ones. A lot of software is too bloated.”
Consider this the first notable bug of 2015. It doesn’t seem to be anywhere near as bad as last year’s Heartbleed bug or Shellshock, though.