Email vulnerable to 'Poodle' attack, Google warns

[DefJam]

Email vulnerable to 'Poodle' attack, Google warns

PUBLISHED : Wednesday, 15 October, 2014, 10:50pm
UPDATED : Thursday, 16 October, 2014, 4:07am

Reuters in Boston

It was the third time this year that researchers had uncovered a vulnerability in widely used web technology.

Three Google researchers have uncovered a security bug in widely used web encryption technology. They say it could allow hackers to take over accounts for email, banking and other services in what they have dubbed a Poodle attack.

The discovery of Poodle, which stands for Padding Oracle On Downloaded Legacy Encryption, prompted makers of web browsers to advise users on Tuesday to disable use of the source of the bug: the 18-year-old encryption standard SSL 3.0.

It was the third time this year that researchers had uncovered a vulnerability in widely used web technology, following April's Heartbleed bug in OpenSSL and last month's Shellshock bug in a piece of Unix software known as Bash.

Security experts said that hackers could steal browser cookies in Poodle attacks, potentially taking control of email, banking and social networking accounts. Even so, experts said the threat was not as serious as the two previous bugs.

"If Shellshock and Heartbleed were threat level 10, then Poodle is more like a five or a six," said Tal Klein, vice-president with cloud security firm Adallom.

The threat was disclosed in research published on the website of the OpenSSL Project, which develops the most widely used type of SSL encryption software.

Microsoft issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

Matthew Green, a professor of computer science at Johns Hopkins University said that disabling SSL 3.0 could be difficult for some computer users.

"It's not going to take out the infrastructure of the internet. But it's going to be a hassle to fix."