A major security flaw has been discovered in the Secure Sockets Layer/Transport Layer Security (SSL/TLS) cryptographic protocols, leaving users of Google and Apple devices open to attack when visiting purportedly secure websites.
Technology companies are now rushing to put out fixes for the FREAK attack, disclosed by researchers today.
The vulnerability in the SSL/TLS secure communications protocols allows attackers to intercept HTTPS connections between vulnerable clients and servers - which researchers revealed included web browsers on Android and Apple smartphones.
Attackers could then force the site to downgrade to weak, so-called "export-grade" cryptography, which could be easily cracked in order to decrypt web traffic, in turn allowing attackers to steal passwords and other sensitive information.
The flaw has been around since the late 1990s, stemming from a former US government policy which had banned the export of strong encryption.
The policy - which was ditched in 1999 - meant weaker "export-grade" products were shipped to customers outside of the US.
However, the weaker keys continued to be used by software companies after the policy was canned, going unnoticed until it was discovered this year by the group of cryptographers at INRIA, Microsoft Research and IMDEA.
The "FREAK” name stands for 'factoring attack on RSA-EXPORT keys'. The keys used in the export-grade encryption had a length of 512 bits - which is considered incredibly weak in the current age thanks to rapid increases in computing power - allowing attackers to easily guess the key.
"This bug causes them to accept RSA export-grade keys even when the client didn't ask for export-grade RSA," cryptographer Matthew Green wrote in a blog post.
"The impact of this bug can be quite nasty: it admits a 'man in the middle' attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA."
Researchers found they could force web browsers to use the old encryption and crack the key in mere hours.
More than one third of supposedly encrypted websites proved vulnerable to the attack, University of Michigan researchers J. Alex Halderman and Zakir Durumeric found.
The five million affected websites included those run by the FBI, White House, NSA, American Express, and a number of news publications, among many others.
Apple is currently preparing a patch to be made available next week. Google is yet to comment.