Researchers find new web encryption bug, warn of 'Poodle' attack

A Google search page is seen through a magnifying glass in this photo illustration taken in Brussels May 30, 2014. REUTERS/Francois Lenoir

BOSTON (Reuters) - Three Google Inc researchers have uncovered a security bug in widely used web encryption technology that they say could allow hackers to steal data in what they have dubbed a "Poodle" attack. "Poodle" stands for Padding Oracle On Downloaded Legacy Encryption. The problem is an 18-year old encryption standard, known as SSL 3.0, which is still widely used in web browsers and websites. It was disclosed in a research paper published late on Tuesday on the website of the OpenSSL Project, a group that develops the most widely used type of SSL encryption software. Rumors that a new bug in OpenSSL software had been circulating on Twitter and technology news sites in recent days, prompting some corporate security professionals to prepare to respond to a major new threat this week. So far this year, they have responded to April's "Heartbleed" bug in OpenSSL, which affected an estimated two-thirds of all websites and thousands of other technology products, as well as last month's "Shellshock" bug in a piece of Unix software known as Bash. But security experts said that the bug disclosed on Tuesday, which could allow hackers to steal browser "cookies," was not as serious as the two prior bugs. "It's quite complicated. It requires the attacker to have a privileged position in the network," said Ivan Ristic, director of application security research with Qualys and an expert in SSL. Jeff Moss, founder of the Def Con hacking conference and an advisor to the U.S. Department of Homeland Security, said that successful attackers could exploit the bug to steal session cookies in browsers, taking control of accounts for email providers, social networks and banks that use that technology. To do that, however, they would need to launch a "man-in-the-middle" attack, placing themselves in between the victim and the websites they were visiting. One common approach is to create a rogue WiFi "hot spot" in an Internet cafe, he said. Matthew Green, assistant research professor at Johns Hopkins University's department of computer science, said this vulnerability was not as bad as either Heartbleed, which allowed hackers to snoop or steal large quantities of data, or Shellshock, which could give attackers remote control of computers. He advised businesses and computer uses to disable SSL 3.0 technology on their servers and browsers, a process that he said can be difficult for the average computer user. "It's not going to take out the infrastructure of the Internet. But it's going to be a hassle to fix," he said. (Reporting by Jim Finkle, editing by G Crosse)