New ‘Poodle’ security bug has less bite than Heartbleed, Shellshock

Google security researchers have uncovered yet another security bug called "Poodle.".
Google security researchers have uncovered yet another security bug called "Poodle.". JOHANNES EISELE/AFP/Getty Images

Update (Oct. 15): Twitter has disabled support for SSL 3.0 in light of the Poodle vulnerability.

This means those using older web browsers, such as Internet Explorer 6, may not be able to access Twitter. This is because current browsers use newer security protocols, such as transport layer security (TSL), and only default to SSL when the site isn’t compatible with these newer protocols.

Mozilla added Wednesday it would disable SSL 3.0 in the next version of its Firefox browser, which will be released Nov. 25.


TORONTO – Google security researchers have uncovered yet another security bug in widely-used encryption technology that could allow hackers to take over email, banking and other online accounts.

Dubbed “Poodle,” the recently discovered vulnerability affects Secure Socket Layer (SSL) 3.0, which is used to encrypt information travelling between a web browser and a website, or a user’s email client and mail server.

Story continues below advertisement

The bug allows encrypted information to be accessed by an attacker using the same network. A hacker could then decrypt the information and access a user’s account without needing a password.

“It allows a clever attacker who can (a) control the Internet connection between your browser and the server, and (b) run some code in your browser to potentially decrypt authentication cookies for sites such as Google, Yahoo and your bank,” wrote Matthew Green, cryptographer and research professor at Johns Hopkins University, in a blog post.

“This is not another Heartbleed. It’s bad, but it’s not going to destroy the Internet.”

Poodle, which stands for “Padding Oracle on Downloaded Legacy Encryption,” affects both websites and web browsers using SSL 3.0.

But the new security flaw is creating far less panic than the Heartbleed or Shellshock bugs – both of which generated major concerns in the online security world.

READ MORE: What you need to know about the ‘Shellshock’ bug

Shellshock, discovered at the end of September, affected computers and other devices using Unix-based operating systems such as Linux and Mac OS X.

Many warned Shellshock – also known as “Bash” – could have been worse than the Heartbleed bug, which caused major security headaches in April, despite the fact many experts called Heartbleed the “biggest security vulnerability in the history of the Internet.”

Story continues below advertisement

However, Heartbleed and Shellshock allowed attackers to hack servers.

Poodle, on the other hand, allows hacks against clients, like your web browser.

“If Heartbleed [or] Shellshock merited a 10, then this attack is only around a 5,” wrote Robert Graham, CEO of Errata Security, in a blog post.

READ MORE: What is the Heartbleed bug and why is it a big deal?

Graham said that because Poodle is exploited through a man-in-the-middle style attack – where an attacker intercepts the information between the user and the website they are browsing – those who are most vulnerable are those using public Wi-Fi connections.

“The hacker needs to be able to tap into the wires between you and the website you are browsing, which is difficult to do. This means you are probably safe from hackers at home, because hackers can’t tap backbone links,” he wrote.

“However, when using the local Starbucks or other unencrypted Wi-Fi, you are in grave danger from this hack from hackers sitting the table next to you.”

Microsoft has issued an advisory suggesting customers disable SSL 3.0 on Windows servers and PCs. Both Google and Mozilla said they plan to disable SSL 3.0 in their next updates.

For now, the only thing the average web user can do to protect themselves is to use the latest version of their chosen web browser and to be weary when connecting to public Wi-Fi networks.

Story continues below advertisement