Critical Email Vulnerability Patched By Microsoft, Google And Yahoo

The use of a weak cryptographic system in encrypting sensitive data is a dangerous practice. It can allow cybercriminials to phish out the data and put it to their nefarious use. Apparently, Google, Microsoft and Yahoo have been making use of similar, weak cryptography for their emails, a problem they have just sorted.


Encryption

The problem was first identified by Zachary Harris, who is a Florida-based mathematician. Harris received an email from a Google employee which made use of a 512-bit key. Harris factored the key and realized that the key proved to be really weak.

He then used the factored key to send a fake email from Sergey Brin to Larry Page, something he was able to accomplish. Due to the weakness of the signing key, he was able to pose as fake Sergey Brin. In other words, all such emails which make use of weak signings keys and measure less than 1024 bits can be factored and thus, can be cracked by cybercriminals.

Cybercriminals can exploit these weak signing keys to send fake messages to the users, posing to be someone else. Most of these messages, due to their valid signing keys, fall into the main inbox rather than the junk folder and put the user at imminent risk.

Harris eventually tested his method on a number of other email vendors and realized that some of the leading giants on the web, such as Twitter, LinkedIn, Google, Yahoo, Microsoft, HP and many others used the same exploitable encryption mechanism.

Thankfully, Google, Microsoft and Yahoo have been quick to fix the issue which is no longer plaguing the emails sent through the email services of these companies.

Source: Wired

Courtesy: Computer World

[ttjad keyword=”microsoft”]

Salman

Salman Latif is a software engineer with a specific interest in social media, big data and real-world solutions using the two.Other than that, he is a bit of a gypsy. He also writes in his own blog. You can find him on Google+ and Twitter .

Leave a Reply