A major security flaw has made it possible for hackers to steal passwords and personal data from iPhone and Android users for the past 10 years, researchers say. Top technology companies including Google Inc. and Apple Inc. are now trying to fix a loophole resulting from a U.S. government policy.
The flaw exposed visitors to government sites like Whitehouse.gov, NSA.gov and FBI.gov, as well as roughly one out of 10 of the most popular sites on the web, according to a group of researchers from Microsoft, and national computer research organizations in France and Spain. The group found that it could force browsers to accept an easily broken security standard and then crack the device over the course of the next few hours.
The hole in web browser security allowed the group to steal passwords and personal data from individuals, and could possibly even open the websites to a wider attack. The security flaw results from a U.S. policy that banned exports of strong software encryption, forcing companies to send devices with weaker security outside of the U.S. until the late 1990s. Code that followed the policy became a part of popular software that eventually became widespread in the U.S., allowing the flaw to linger on even after the policy was lifted.
The researchers’ revelations come as U.S. defense and law enforcement agencies have called on Silicon Valley to provide so-called “backdoors” into software to allow them to conduct surveillance. Security researchers and privacy advocates say the backdoors can be easily exploited by computer hackers and cybercriminals.
The security flaw, which affects Apple’s Safari web browser for iOS and Mac, as well as Google’s built-in “Internet” web browser for Android, does not affect Chrome for Android. Both companies say they are taking precautions to fix the problem.
Apple told the Washington Post that the problem would be fixed in an update coming next week, while Google said it had provided a patch for Android that had been distributed to its manufacturing partners, who would have to alter it to fit their own Android devices.
FBI.gov and Whitehouse.gov have been fixed, according to cybersecurity blog Cryptography Engineering, while NSA.gov remains vulnerable.