The bug, known as ‘Freak’ (‘Factoring Attack on RSA-EXPORT Keys’) has left around 5 million of the 14 million total encrypted websites on the internet vulnerable, researchers said.
This decade old problem is said to affect Apple’s Safari browser, as well as the default browser in Android devices (excluding Google Chrome).
According to The Washington Post , the bug stems from a 1990s US government policy to restrict strong encryption from being exported outside. Instead, export-grade encryption was restricted to 512 bits – a level that is now considered unacceptably weak.
While that policy was lifted, the weaker standard was left inside lots of widely used software, flying under the radar until now.
The researchers who discovered the hack, led by Karthikeyan Bhargavan at INRIA in Paris and the mitLS team, were able to force browsers to use the weaker standard, and then crack it. They were then able to steal data and takeover elements on websites fairly easily.
A full list of the servers and sites affected can be read here. Apple and Google are said to be preparing fixes for the bug to ship out to their uses. Android, however, may take months to deploy a fix for their users.