An old US policy requiring weaker encryption for export products is exposing millions of iPhones, Android devices, Mac OS X computers and around 97,000 websites to attack, say researchers.
Although the policy was aimed at the export market in the 1990s and has since been discontinued, products and services using the weakened cryptography are still to be found, including inside the US.
Researchers have found that once intercepted, the connnections can be forced to use export-grade cryptography, even if the weak algorithms are disabled by default.
Once cracked, hackers could steal passwords and other personal information and potentially launch a broader attack on the websites themselves, the researchers warned.
About a third of encrypted websites or 12% of all websites are believed to be vulnerable, including several banks, media sites and government agencies.
Independent security consultant Graham Cluley said all organisations that run websites should disable support for any export suites on their web servers.
“Freakattack.com suggests that instead of simply excluding RSA export cipher suites, administrators should disable support for all known insecure ciphers and enable forward secrecy,” he said in a blog post.
Read more about SSL vulnerabilities
- PrivDog compromises the secure sockets layer (SSL) protocol used to secure online transactions
- The Poodle SSL vulnerability has been patched, yet new vulnerabilities are causing concern
- Reseachers say the SSL flaw in Microsoft Windows could be worse than Heartbleed
- Following Heartbleed, six more OpenSSL vulnerabilties have been discovered
Although the vulnerability has existed for more than a decade, researchers said there is no evidence any attackers have exploited the weakness to date.
Researchers have been alerting affected government agencies and companies in the past few weeks to enable them to correct the problem before it became public.
However, cloud services firm Akamai reported on efforts to mitigate the problem in a blog post earlier this week, making the issue public sooner than the researchers had planned, reported the Washington Post.
The FBI.gov and Whitehouse.gov websites have been fixed, but other government sites are believed to still be vulnerable.
Apple is reportedly preparing a security patch that will be in place next week and Google has provided a patch to makers of Android devices which will be responsible for its deployment.
Only the browser in Android devices is vulnerable to the Freak bug. Google’s Chrome browser is not vulnerable and connections to Google's search website are not affected, the company said.
Researchers said browsers from Microsoft or Firefox-maker Mozilla are also not affected.
The vulnerability is the latest in a series of weaknesses that have been discovered in SSL/TLS, the technology that was designed to keep online transactions secure.