Google, Microsoft and Mozilla have all rushed to update their web browsers after it emerged that cybercriminals were exploiting a security loophole that allowed them to impersonate the Google+ social network.
The BBC reports that hackers exploited security credentials that browsers use to verify individual websites, allowing them to create a malicious website that appeared to be part of Google’s social domain. It happened after a Turkish security firm called TurkTrust – which apparently doesn’t live up to its name – mistakenly issued the credentials to hackers, who then set up the malicious site.
The malicious website seems to have gone unnoticed for about a year and half until it was discovered by Google over the Christmas period.
“Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the “*.google.com” domain,” wrote Google security engineer Adam Langley on the company’s security blog.
“We investigated immediately and found the certificate was issued by an intermediate certificate authority (CA) linking back to TURKTRUST, a Turkish certificate authority. Intermediate CA certificates carry the full authority of the CA, so anyone who has one can use it to create a certificate for any website they wish to impersonate.”
TurkTrust promptly launched an investigation into the security blip, discovering that in August 2011 it mistakenly issued the wrong “intermediate certificate” to a client. Rather than providing a ‘low level’ certificate, it accidently gave out two masters keys that guarantee a website’s identity. Normally, such master keys are only given to site owners.
Sophos security expert Chester Wisniewski explained how dangerous the certificates can be in the wrong hands:
“These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong. Still get a padlock, still shows everything as valid.”
“When you trust the padlock in your browser to be an indicator of security, you aren’t just trusting the ~150 CAs trusted by Mozilla, Microsoft and Google.”
Wisniewski explains that the certificates are important, because the security of online stores and other websites that handle financial transactions are dependent on how master keys and lower level security credentials interact with one another.
In response to the discovery, Google, Microsoft and Mozilla quickly issued updates so their browsers no longer trust the certificates. Mozilla went even further, programming its Firefox browser not to recognize any TurkTrust-issued security certificates pending the outcome of its own investigation into the lapse.
Wisniewski remarked in his blog that this latest glitch once again exposes the need for a more efficient web security system:
“It is really time we move on from this 20-year-old, poorly implemented system. It doesn’t need to be perfect to beat what we have.”