A vast number of hugely-successful websites – including the likes of Facebook and PayPal – recently tested positive for a dangerous 19-year-old vulnerability.
According to the hackers who uncovered the vulnerability, dubbed “ROBOT Attack”, over a quarter of the top 100 most popular sites online, according to Alexa, are affected.
The ROBOT Attack exploit could allow cybercriminals to decrypt encrypted data and sign communications with the websites’ secret encryption key.
The vulnerability could easily have devastating for users’ data.
Worse still, the flaw was first uncovered back in 1998 by Daniel Bleichenbacher of Bell Laboratories.
According to the benevolent hackers that uncovered the vulnerability in Facebook, “We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”
“For hosts that are vulnerable and only support RSA encryption key exchanges it’s pretty bad. It means an attacker can passively record traffic and later decrypt it.”
Facebook patched the vulnerability in October after it was tipped-off from benevolent hackers Hanno Böck, Juraj Somorovsky and Craig Young.
In a statement to Forbes, a spokesperson for the social network said: “We are grateful to the researchers who brought this to our attention.
“We quickly fixed the issue, which was introduced by a custom patch we developed and wasn’t caught in our testing or an external audit.
“We are not aware of any abuse of this issue, and we paid awards to the researchers through our bug bounty program.
“We also assisted the researchers in further exploring the impact of this issue for other services around the web.”
Facebook has not disclosed how much Hanno Böck, Juraj Somorovsky and Craig Young were paid.
There are many domains which have yet to take action to secure their sites against the attack.
ROBOT Attack also affects a number of web server technologies, the researchers have claimed.
Hanno Böck, Juraj Somorovsky and Craig Young have provided a list of those vulnerable to the attack, which includes Cisco.
According to the hackers, “The surprising fact is that our research was very straightforward. We used minor variations of the original attack and were successful.
“This issue was hiding in plain sight. This means neither the vendors of the affected products nor security researchers have investigated this before, although it’s a very classic and well-known attack.”
Express.co.uk has approached PayPal for comment on this story.