The Poodle bug is set to make a comeback after researchers discovered it affecting some implementations of the Transport Layer Security (TLS) protocol.
The flaw allows hackers to listen to conversations between web client and server because its lacks a requirement for cryptographic padding, which adds to data to make it less susceptible to encryption. The bug was last found on the third version of the Security Sockets Layer (SSL) two months ago.
"The impact of this problem is similar to that of Poodle, with the attack being slightly easier to execute," said Ivan Ristic, director of engineering at the security company Qualys.
"The main target are browsers, because the attacker must inject malicious JavaScript to initiate the attack. A successful attack will use about 256 requests to uncover one cookie character, or only 4096 requests for a 16-character cookie. This makes the attack quite practical."
He estimated that as much as 10% of the web could be impacted by the bug, making it the most significant threat to web security since the Heartbleed OpenSSL flaw allowed similar interception of data.
Adam Langley, a security engineer at Google, reported that "a number of major sites" were affected, and that at least two network vendors were having problems with the bug, one being F5 Networks and the other being A10 Networks.
"I’m not completely sure that I’ve found every affected vendor but, now that this issue is public, any other affected products should quickly come to light," he added.
