Google, Microsoft and Mozilla have jumped to shore up defences against an attack that used a fraudulent digital certificate to fool people into handing information over to spoofed Google.com services.
After being alerted by users, Google warned on Monday that intruders had tried to get between Iranian web users and encrypted Google services using a man-in-the-middle attack. The attack could have put users' sensitive information, such as login credentials, at risk.
The attack attempted to redirect people to a seemingly legitimate Google services page, which used a fraudulently generated SSL certificate to guarantee that it was part of Google.com. For example, a user could have thought they were writing a Gmail message, when in fact the information would have been captured by the attacker.
"The people affected were primarily located in Iran," Heather Adkins, information security manager at Google, said in a blog post. "The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it)."
In response, web companies scrambled to mitigate the danger to their users from the attack. On Monday, Mozilla updated Firefox for Desktop, Thunderbird and SeaMonkey to revoke the fraudulently issued certificate, while Microsoft said websites with certificates issued by DigiNotar would not be trusted by Windows Vista and later versions of the operating system.
In addition, Google blocked 247 certificates in the Chromium source code, which security company Sophos suggested were likely to have been linked to the attack.
Vasco, the parent company of DigiNotar, put the problem down to a hack of the Dutch certificate authority on 19 July. It said on Tuesday the hackers had fraudulently issued certificates for a number of domains, including Google.com. The fraud also covered Extended Validation SSL (EVSSL) certificates, which have more stringent issuing guidelines.
DigiNotar revoked the certificates when it found out about the attack, but did not revoke the particular certificate for Google.com. The company had not responded to a request for comment at the time of writing.
The Dutch company's portal has been hacked by a number of groups, including people claiming to be Iranian, according to F-Secure's chief research officer Mikko Hypponen.
"Didn't DigiNotar think it's a tad weird that Google would suddenly renew their SSL certificate and decide to do it with a mid-sized Dutch [certificate authority], of all places?" Hypponen said in a blog post. "And when DigiNotar was auditing their systems after the breach, how on earth did they miss the Iranian defacement?"
The hackers were probably looking for information on Gmail, Google Docs, and Google+ users, Hypponen suggested. "It's likely the government of Iran is using these techniques to monitor local dissidents," he said.
Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.