Security researchers are demonstrating how you can use the Windows 10 flaw, CVE-2020-0601,

to spoof the trusted digital certificates for official website domains on Google's Chrome browser.

These same certificates can warn you about hacking attempts.

 

 

 

 

The NSA-discovered vulnerability in Windows 10 doesn't just affect the Microsoft operating system;

it can also help disguise hacking attempts on Google's Chrome browser.

 

On Wednesday, security researchers began demonstrating how you can use the Windows 10 flaw,

CVE-2020-0601, to spoof trusted digital certificates for official website domains on Chrome.

 

One expert, Saleem Rashid, did this by spoofing the SSL certificate for the NSA.gov site, which

was first reported by Ars Technica. Thanks to the vulnerability, Google's browser will mistakenly

interpret the certificate as valid when in reality it's a fake.

 

 

 

 

The misreading occurs because Chrome is relying on Windows 10's CryptoAPI to validate the

certificates, Yolan Romailler at Kudelski Security. Unfortunately, the same API has a serious bug

on vetting elliptic curve cryptography.

 

That has security experts, including officials at the NSA, alarmed. In the wrong hands, the flaw

could help  hackers create official-looking websites, when in reality they've been designed to steal

your information. Romailler has created a proof-of-concept anyone can visit to see the flaw in action. 

 

Although the flaw is disturbing, it's important to note that hackers have been successfully duping

victims with lookalike phishing websites for decades now, without exploiting flaws in Windows'

CryptoAPI. The real threat is if an adversary, like a foreign government or elite nation-state hackers,

controls an internet network. The adversary could secretly stage a "man-in-the-middle attack" by

intercepting the traffic to a major website, and re-directing all the users to a hacker-controlled domain.

 

 

 

 

An example of this happened in 2015, when users in China attempting to visit Microsoft's Outlook.com

were briefly re-directed to a lookalike site on the same domain. Thankfully, users were tipped off because

their  browsers failed to return a trusted digital certificate. However, the CryptoAPI bug threatens to undermine

this important safeguard.

 

The good news is that Microsoft has issued a patch to fix the flaw, which is also rolling out directly to

Windows 10 users who have automatic updates turned on. According to Ars Technica, Google is also

working on a fix for the Chrome browser that's already available in the beta versions.

 

On Chrome, exploiting the flaw only required Romailler writing 50 lines of computer code. However,

to successfully spoof a certificate, Chrome must have already loaded and stored the root certificate in the

browser's cache. This can be done simply by directing the browser to first visit a separate website with the

root certificate before engaging in thespoofing attack.