San Francisco, Aug 13: Security researchers on Monday said they have found serious flaws in Microsoft`s Internet Explorer browser and in PGP, a widely used data scrambling program, that could expose credit card and other sensitive information of Internet users.

The Internet Explorer (IE) problem has been around for at least five years and could allow an attacker to intercept personal data when a user is making a purchase or providing information for e-commerce purposes, said Mike Benham, an independent security researcher based in San Francisco. "If you ever typed in credit card information to an SSL site there`s a chance that somebody intercepted it," he added.


Internet Explorer fails to check the validity of digital certificates used to prove the identity of Websites, allowing for an "undetected, man in the middle attack", he said.


Digital certificates are typically issued by trusted certificate authorities, such as VeriSign, and used by Websites in conjunction with the Secure Sockets Layer (SSL) protocol for encryption and authentication. Anyone with a valid digital certificate for any Website can generate a valid certificate for any other Website, according to Benham.


"I would consider this to be incredibly severe," he added.


Cryptography expert Bruce Schneier agreed.


"This is one of the worst cryptographic vulnerabilities I`ve seen in a long time," said Schneier, co-founder and chief technology officer at Counterpane Internet Security, a Cupertino, California-based network monitoring firm. "What this means is that all the cryptographic protections of SSL don`t work if you`re a Microsoft IE user," Schneier added. Bureau Report