Google uncovers Poodle flaw in Web encryption standard

Poodle security bug in web encryption SSL 3.0 allows hackers to steal data from email accounts, bank accounts and social networking sites.

Published Date
15 - Oct - 2014
| Last Updated
15 - Oct - 2014
 
Google uncovers Poodle flaw in Web encryption standard

Google security engineers have uncovered a major vulnerability dubbed Poodle in Web encryption standard SSL 3.0. The bug makes browsers susceptible to hacking, but researchers state that it is not as harmful as Heartbleed or Shellshock bugs.  

Google security engineers Bodo Möller, Krzysztof Kotowicz and Thai Duong stated in a report that POODLE is a new security hole in Secure Socket Layer (SSL) 3.0 that makes the 15-year-old protocol impossible to use safely and upgrading it will be difficult. “Poodle” stands for Padding Oracle On Downloaded Legacy Encryption.

Security experts stated that the bug could allow hackers to steal browser “cookies,” but was not very serious. Ivan Ristic, director of application security research with Qualys and an expert in SSL stated, “It’s quite complicated. It requires the attacker to have a privileged position in the network.”

Jeff Moss, founder of the Def Con hacking conference and an advisor to the U.S. Department of Homeland Security, stated that hackers could exploit the bug to steal session cookies in browsers, social networks, taking control of accounts for email providers and banks that use that technology. However, they would need to launch a “man-in-the-middle” attack. A common approach used by hackers is to create a rogue WiFi “hot spot” in an Internet cafe, he added.

Moss advised businesses and computer users to stop SSL 3.0 technology on their servers and browsers. “It’s not going to take out the infrastructure of the Internet. But it’s going to be a hassle to fix,” he said.

Rumors that a new bug in OpenSSL software had been circulating on Twitter and technology news sites in recent days. Earlier this year researchers had discovered “Heartbleed” bug in OpenSSL, which affected nearly two-thirds of all websites and thousands of other technology products and a new bug dubbed “Shellshock” was uncovered in a piece of Unix software known as Bash last month.

Source: Google