Skip to main content
Customer Support Customer Support

HTTPS-crippling FREAK exploit affects thousands of Android and iOS apps

  • March 17, 2015
  • 1 reply
  • 3 views
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54

Attackers can use FREAK to steal passwords for finance, shopping, or medical apps.

by Dan Goodin - Mar 17
 
"As an example, an attacker can use a FREAK attack against a popular shopping app to steal a user's login credentials and credit card information," FireEye researchers Yulong Zhang, Zhaofeng Chen, Hui Xue, and Tao Wei wrote in a blog post published Tuesday afternoon. "Other sensitive apps include medical apps, productivity apps and finance apps." The researchers provided the screenshots above and below, which reveal the plaintext data extracted from one of the vulnerable apps after it connected to its paired server.
http://cdn.arstechnica.net/wp-content/uploads/2015/03/freak-attack2-640x498.png 
Full Article
    Ssherjj

    1 reply

    Jasper_The_Rasper
    Moderator
    Forum|alt.badge.img+54
    Summary: Researchers from FireEye claim the security risks posed by the FREAK flaw are far from over.
     
    By Charlie Osborne for Zero Day | March 18, 2015
     
    A total of 1,228 popular Android apps found in the Google Play store are still vulnerable to a FREAK attack, FireEye says.
     
    Research published on Tuesday by the firm's security team disclosed just how vulnerable both Android and iOS apps still are to the FREAK bug.
     
    FREAK is a cryptographic weakness which permits attackers to force data traveling between a vulnerable website or operating system to servers that use weak encryption protocols. If combined with a man-in-the-middle attack (MITM), the data could theoretically be intercepted and cracked as the user is unwittingly using a lower level of encryption than believed.
     
    According to the team, as of March 4, both of the latest Android and iOS platforms are vulnerable to the security issue. As FREAK is both a platform vulnerability and an app vulnerability, even after Google and Apple issued patches, apps may still be vulnerable when connecting to servers which accept RSA_EXPORT cipher suites.
     
    Full Article
    Ssherjj
    Terms & ConditionsAccessibility statement