Hackers have obtained a Google website authentication certificate, putting anyone visiting a Google-owned Web property, including Gmail and YouTube, in serious danger.
The Secure Sockets Layer (SSL) certificate allows whoever is wielding it to set up fraudulent Web pages under a legitimate Google domain name; the victims, security researchers say, would believe they were on a perfectly safe Google site while, behind the scenes, attackers could harvest all their personal information.
"This type of attack allows someone to eavesdrop on encrypted traffic, allowing them to decipher traffic which would otherwise not be possible," Kaspersky Lab researcher Roel Schouwenberg told SecurityNewsDaily.
Why is this so scary?
Most phishing emails or spoofed websites look legitimate, but close inspection will reveal a misspelled URL or an unencrypted Web session, or a third-party Web page that bears no resemblance to the original address. Anti-virus software often will detect these rogue pages as threats before they even get to you.
A stolen SSL certificate, however, could mean that when you log on to your Gmail account, or receive an email with a link to any Google.com Web domain (a YouTube video, for example), all of your credentials could be up for grabs.
"This particular certificate is a so-called 'wildcard' certificate," Schouwenberg said. "It's valid for any google.com subdomain. This means this certificate allows an attacker to eavesdrop on virtually all of Google's services, including Gmail, while the traffic is encrypted. This will allow the attacker to not only read/write emails but also grab the target's Google credentials."
Even worse, your computer — and you — would never even know, because nothing about the site would seem off. After all, the attack could take place on an encrypted Gmail page.
How did it happen?
Hackers accessed the SSL certificate on July 19 from DigiNotar, a Dutch certificate authority, which said in a press release that the breach "resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com."
DigiNotar said it revoked all the fraudulently issued certificates, but "recently, it was discovered that at least one fraudulent certificate had not been revoked at the time."
That certificate, for Google.com, has since been revoked, but it existed in the wild for more than five weeks.
An email to DigiNotar was not returned.
Who is behind the hack?
"This type of attack is mostly suited to intelligence/espionage operations," Schouwenberg said. "We have to keep in mind that these attacks are quite targeted and most likely carried out by nation-states."
Mikko Hypponen from the security firm F-Secure captured a screenshot of a compromised DigiNotar Web page that reads, "Hacked by KiAnPhP, Extrance Digital Security Team, Iranian Hackers."
"It's likely the Government of Iran is using these techniques to monitor local dissidents," Hypponen wrote.
Google itself supports this claim, writing in a blog post on Sunday (Aug. 28) that "the people affected were primarily located in Iran."
However, Hypponen came across another defaced DigiNotar Web page that reads, "Hacked by Black.Spook! Persian Gulf For Ever!!!"
"If you keep digging deeper, you'll find that although these Web defacements are still live right now, they are not new," Hypponen wrote. "Much worse: They were done years ago. In fact, these hacks are so old, it's unlikely they are connected to the current problem. Or at least so we hope."
What can you do?
"Unfortunately, there are only very few solutions for this type of problem," Schouwenberg told SecurityNewsDaily. "Right now, we have to rely on the browser makers to release an update to the browser which blacklists this particular certificate."
Thankfully, Mozilla Firefox, Microsoft Internet Explorer and Google Chrome have all updated their Web browsers to block the stolen Google SSL certificate.
Google warns users, especially located in Iran, to "keep their Web browsers and operating systems up to date and pay attention to Web browser security warnings."