Google researchers warn of POODLE vulnerability in SSL encryption standard

Older web technology continues to be dogged by revelations that expose its vulnerabilities. A trio of Google security engineers proved that the encryption standard Secure Socket Layer could be circumvented thanks to a new vulnerability they named "POODLE", CNET reported.

In a new report published yesterday, Google security engineers Bodo Möller, Krzysztof Kotowicz and Thai Duong point out that POODLE was a new security hole in Secure Socket Layer (SSL) 3.0 that made the 15-year-old protocol nearly impossible to use safely.

The vulnerability allowed encrypted, ostensibly-secret information to be exposed by an attacker with network access.

POODLE which is an acronym for Padding Oracle On Downgraded Legacy Encryption (PDF), was a problem as it was used by both websites and web browsers. Both needed to be reconfigured to prevent using SSL 3.0, and POODLE would continue to be a problem as long as SSL 3.0 was supported.

While SSL 3.0 was no longer the most advanced form of web encryption in use, according to Möller browsers and secure HTTP servers still needed it in case they encountered errors in Transport Layer Security (TLS), SSL's more modern, less vulnerable younger sibling.

It comes as the third instance this year that researchers had uncovered a vulnerability in widely used web technology, following April's "Heartbleed" bug in OpenSSL and the "Shellshock" bug in a piece of Unix software known as Bash discovered last month, Reuters reported.

According to security experts, hackers could steal browser "cookies" in "Poodle" attacks, potentially taking control of email, banking and social networking accounts. However, they say the threat was not as serious as the two prior bugs.

If Shellshock and Heartbleed were Threat Level 10, then Poodle was more like a 5 or a 6, according to Tal Klein, vice president with cloud security firm Adallom.

Rumors of a bug in SSL software had been circulating in recent days, and some security professionals were preparing for a major new threat this week.

According to Ivan Ristic, director of application security research with Qualys, "Poodle" did not pose quite as serious a threat as the previous threats as the attack was "quite complicated," and needed hackers to have privileged access to networks.

According to Jeff Moss, a cyber adviser to the US Department of Homeland Security, attackers needed to launch a "man-in-the-middle" attack, placing themselves between victims and websites. They would need to use approaches such as creating rogue WiFi "hotspots" in internet cafes.