Security researchers announced on March 3, 2015 a vulnerability dubbed “FREAK” (Factoring attack on RSA-EXPORT Keys) that can be exploited by an attacker to force a weaker encryption connection and potentially break the encryption used during a secure browser session.
OneLogin is not affected by this vulnerability.
The vulnerability is rooted in the use of weaker cipher suites in the 1990s required by U.S. Government export policy. The policy went away, but the suites linger to this day and a bug in OpenSSL allow its use even when stronger suites are available. Nowadays, the ability to quickly and cheaply buy computing power also makes it more feasible to exploit this vulnerability.
While OneLogin is not affected by this vulnerability, however, it does affect a large number of websites including those in the private and public sector. A sampling of these can be found on freakattack.com, and this site also notifies you if your browser is vulnerable, and if you are not using the latest version of Chrome, you are most likely vulnerable.
Affected websites have been patching since the vulnerability was announced, but it’s still a work in progress. Apple and Google are working on patches for Safari, iOS, and Android (the built-in browser), but these might not be out until next week or much later. Since there is the potential that your encrypted transmissions to any of the affected websites were intercepted and your credentials exposed, especially since the announcement, changing your passwords after patching your browser can help mitigate the risk.
If you are interested in learning more, Matthew Green has written a very thorough post of the vulnerability and how it was validated.
For any security concerns related to this security advisory, please contact firstname.lastname@example.org.