Google Discovers Web Threat Like Heartbleed and Shellshock

150

Google researchers team have found a security bug in widely used web encryption technology SSL 3.0, allowing hackers to take control of email, banking, and other accounts. Google term it as ‘Poodle’ attack.

Poodle stands for Padding Oracle On Downloaded Legacy Encryption. Google has advised developers to disable the use of the source of the SSL 3.0.

Notably, this year, it is the third time that researchers have uncovered a vulnerability in widely used web technology, in April ‘Heartbleed’ bug in OpenSSL and last month’s ‘Shellshock’ bug in a piece of Unix software known as Bash.

According to the security experts, hackers could steal browser ‘cookies’ in ‘Poodle’ attacks, potentially taking control of email, banking, social networking, and other accounts.

However, experts say that the ‘Poodle’ thread is not so series as Shellshock and Heartbleed.

“If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6,” said Tal Klein, a vice president with cloud security firm Adallom.

Ivan Ristic, director of application security research with Qualys, said ‘Poodle’ was not as serious as the previous threats because the attack was ‘quite complicated,’ requiring hackers to have privileged access to networks.

Jeff Moss, a cyber adviser to the US Department of Homeland Security, said attackers would need to launch a ‘man-in-the-middle’ attack, placing themselves between victims and websites using approaches such as creating rogue Wi-Fi ‘hotspots’ in the internet cafes.

Google added on its blog that it hopes to remove support for SSL 3.0 from all client software eventually. Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, which is scheduled to be released on November 25.

“SSL version 3.0 is no longer secure,” Mozilla said on its blog. “Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible.”

Microsoft issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.

Matthew Green, an assistant research professor of computer science at Johns Hopkins University, said that disabling SSL 3.0 can be difficult for some computer users.

“It’s not going to take out the infrastructure of the internet. But it’s going to be a hassle to fix,” Green said.

 

Previous articleDoogee Launches Titans 2 DG700, Iron-bone DG750 and Hitman DG850
Next articleDoogee Launching F series Turbo Mini, Ibiza and Europa

Share your thoughts here!

This site uses Akismet to reduce spam. Learn how your comment data is processed.