Web browser makers have rushed to fix a security lapse that cyber thieves abused to impersonate Google+
The loophole exploited ID credentials that browsers use to ensure a website is who it claims to be.
By using the fake credentials, criminals created a website that purported to be part of the Google+ social media network.
The fake ID credentials have been traced back to Turkish security firm TurkTrust which mistakenly issued them.
An investigation by TurkTrust revealed that in August 2011 it twice accidentally issued the wrong type of security credential, a form of identification known as an intermediate certificate. Instead of issuing low level certificates it mistakenly gave out two “master keys” that are typically only given to owners of websites. This master key is a guarantee of a site’s identity.
“These certificates could be used to impersonate any website to any browser without the end user being alerted that anything is wrong,” wrote security analyst Chester Wisniewski from Sophos in a blogpost about the security lapse.
The certificates are important, he said, because secure use of web shops and other services revolve around interaction between the master keys and the lower level security credentials.
The lapse was spotted when automatic checks built in to Google’s Chrome browser noticed the fake credentials.
Google, Microsoft and Firefox developer Mozilla have all issued updates which revoke the two wrongly issued master security certificates. In addition, Mozilla has updated Firefox to reject any certificate issued by TurkTrust while the browser maker investigates the security lapse.
This is not the first time that websites and browser makers have had a problem with security certificates. Fake certificates have been issued before now by several other firms and exposed confidential data including login names and passwords.
“It is really time we move on from this 20-year-old, poorly implemented system,” wrote Mr Wisniewski. “It doesn’t need to be perfect to beat what we have.”