Apple, Google device users vulnerable to hacking over 'zombie' security bug

Millions of users vulnerable to the flaw in seemingly secure websites for over 10 years

Reading Time:2 minutes

Apple is preparing a security patch that will be in place next week for its computers and mobile devices; while Google's Chrome browser is not vulnerable to the bug, but the browser that comes built into most Android devices is. Photos: Bloomberg, AFP

Published: 8:00am, 5 Mar 2015Updated: 12:10pm, 16 Apr 2015

Technology companies are scrambling to fix a major security flaw that for more than a decade left users of Apple and Google devices vulnerable to hacking when they visited millions of supposedly secure websites, including Whitehouse.gov, NSA.gov and FBI.gov.

The flaw resulted from a former US government policy that forbade the export of strong encryption and required that weaker "export-grade" products be shipped to customers in other countries, say researchers who discovered the problem.

Those restrictions were lifted in the late 1990s, but the weaker encryption was baked into software that proliferated around the world and made its way back into the United States - apparently unnoticed until this year.

Researchers discovered they could force browsers to use the weaker encryption and then crack it over the course of just a few hours.

Once cracked, hackers could steal passwords and other personal information, and potentially launch a broader attack on the websites themselves by taking over elements on a page, such as a Facebook "Like" button.

The existence of the problem with export-grade encryption amazed researchers, who have dubbed the flaw "Freak" ,for Factoring attack on RSA-EXPORT Keys.