The NSA-discovered vulnerability in Windows 10 doesn't just affect the Microsoft operating system; it can also help disguise hacking attempts on Google's Chrome browser.
On Wednesday, security researchers began demonstrating how you can use the Windows 10 flaw, CVE-2020-0601, to spoof trusted digital certificates for official website domains on Chrome.
One expert, Saleem Rashid, did this by spoofing the SSL certificate for the NSA.gov site, which was first reported by Ars Technica.
Thanks to the vulnerability, Google's browser will mistakenly interpret the certificate as valid when in reality it's a fake.
thanks to 's hint :)
the biggest constraints are Chrome's tight certificate policies and that the root CA must be cached, which you can trigger by visiting a legitimate site that uses the certificate
— Saleem Rashid (@saleemrash1d)
The misreading occurs because Chrome is relying on Windows 10's CryptoAPI to validate the certificates, Yolan Romailler at Kudelski Security, told Daxdi.
Unfortunately, the same API has a serious bug on vetting elliptic curve cryptography.
On Tuesday, Microsoft warned that you can actually rig a certificate to trick the system into thinking it's real and from a trusted source.
That has security experts, including officials at the NSA, alarmed.
In the wrong hands, the flaw could help hackers create official-looking websites, when in reality they've been designed to steal your information.
Romailler has created a proof-of-concept anyone can visit to see the flaw in action.
Using a vulnerable Windows 10 machine, Daxdi tried it and the demo does work on Chrome as well as Microsoft's Edge browser, but not on Firefox, which will display an connection error when the test site is loaded up.
Although the flaw is disturbing, it's important to note that hackers have been successfully duping victims with lookalike phishing websites for decades now, without exploiting flaws in Windows' CryptoAPI.
The real threat is if an adversary, like a foreign government or elite nation-state hackers, controls an internet network.
The adversary could secretly stage a "man-in-the-middle attack" by intercepting the traffic to a major website, and re-directing all the users to a hacker-controlled domain.
An example of this happened in 2015, when users in China attempting to visit Microsoft's Outlook.com were briefly re-directed to a lookalike site on the same domain.
Thankfully, users were tipped off because their browsers failed to return a trusted digital certificate.
However, the CryptoAPI bug threatens to undermine this important safeguard.
Recommended by Our Editors
The good news is that Microsoft has issued a patch to fix the flaw, which is also rolling out directly to Windows 10 users who have automatic updates turned on.
According to Ars Technica, Google is also working on a fix for the Chrome browser that's already available in the beta versions.
On Chrome, exploiting the flaw only required Romailler writing 50 lines of computer code.
However, to successfully spoof a certificate, Chrome must have already loaded and stored the root certificate in the browser's cache.
This can be done simply by directing the browser to first visit a separate website with the root certificate before engaging in the spoofing attack.