Facebook, PayPal and other leading sites vulnerable to 19 year old security bug


A 19 year old security bug could potentially allow hackers to decrypt encrypted data on several popular sites including Facebook and PayPal.

It was a team of hackers who uncovered the vulnerability which is known as “ROBOT Attack” and according to Alexa, it has affected around 25% of the top 100 sites in the world.

The vulnerability is said to have potentially devastating consequences for users but this is compounded by the fact that the flaw was initially uncovered back in 1998 by Daniel Bleichenbacher of Bell Laboratories.

The hackers said of Facebook, “We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”

“For hosts that are vulnerable and only support RSA encryption key exchanges it’s pretty bad. It means an attacker can passively record traffic and later decrypt it.”

It is thought that Facebook has now patched the issue after the tip-off from the helpful hackers.

A Facebook spokesperson said in a statement: “We are grateful to the researchers who brought this to our attention.

“We quickly fixed the issue, which was introduced by a custom patch we developed and wasn’t caught in our testing or an external audit.

“We are not aware of any abuse of this issue, and we paid awards to the researchers through our bug bounty program.

“We also assisted the researchers in further exploring the impact of this issue for other services around the web.”

The hackers, Hanno Böck, Juraj Somorovsky and Craig Young were paid by Facebook but how much has not be revealed.

They are also said to have provided lists of vulnerable sites which is thought to include Cisco.

According to the hackers, “The surprising fact is that our research was very straightforward. We used minor variations of the original attack and were successful.

“This issue was hiding in plain sight. This means neither the vendors of the affected products nor security researchers have investigated this before, although it’s a very classic and well-known attack.”

Source: Forbes


Comments are closed.