Hot on the heels of the Shellshock “Bash” bug, Google researchers have uncovered another dangerous computer bug. It’s called the Poodle bug, and while it may have a cute name, this computer bug is a real nasty piece of work. The Poodle bug might expose your banking info or email to hackers. Here’s everything you need to know about this new Internet threat.
1. Poodle Stands for ‘Padding Oracle On Downgraded Legacy Encryption’
Poodle stands for “Padding Oracle On Downgraded Legacy Encryption.” This security flaw allows hackers to break into your email, banking, other types of online accounts. Hackers could force an Internet connection to downgrade to SSL 3.0, an older version of the secure connection format.
2. Poodle Is a Relatively Minor Threat
According to PC Mag, the Poodle security flaw isn’t as bad as recent threats like Shellshock or Heartbleed:
“Existing in old software and nearly all browsers, the bug is not easy to apply: It requires a hacker to tap into the connection between you and your browser, referred to as a man-in-the-middle exploit.
“If Heartbleed/Shellshock merited a 10, then this attack is only around a 5,” said Errata Security’s Robert Graham.”
Chances are, you will be safe if you are surfing the web at home from a secure connection. However, hackers could conceivably use Poodle to spy on your activities in a public location, like a coffee shop with free Wi-Fi.
3. The Poodle Threat Was Outlined by Google Researchers
PC World notes that researchers Bodo Möller, Thai Duong and Krzysztof Kotowicz of Google were the first to recognize the Poodle bug’s potential.
Google’s Online Security Blog explains why this bug, which affects a version of SSL that’s over a decade old, has so many people freaked out:
“SSL 3.0 is nearly 15 years old, but support for it remains widespread. Most importantly, nearly all browsers support it and, in order to work around bugs in HTTPS servers, browsers will retry failed connections with older protocol versions, including SSL 3.0. Because a network attacker can cause connection failures, they can trigger the use of SSL 3.0 and then exploit this issue…Additionally, Google Chrome will begin testing changes today that disable the fallback to SSL 3.0.”
4. Google Is Preparing a Chrome Patch for Poodle
Google employee Adam Langely, who works on the team that manages Google’s Chrome browser, wrote a blog post about Poodle. He outlines Google’s plans for releasing a Chrome patch to deal with Poodle:
“I’ve just landed a patch on Chrome trunk that disables fallback to SSLv3 for all servers. This change will break things and so we don’t feel that we can jump it straight to Chrome’s stable channel. But we do hope to get it there within weeks and so buggy servers that currently function only because of SSLv3 fallback will need to be updated.”
5. The Poodle Bug Is Also Being Called ‘Poodlebleed’
The video above offers an explanation of the Heartbleed security flaw that even non-techies can understand. In the video, popular YouTuber Tom Scott breaks down what Heartbleed is, using diagrams and Pokemon references to illustrate his point.
The Verge notes that this bug is also being referred to as “Poodlebleed,” a reference to the Heartbleed bug. Heartbleed was a flaw in OpenSSL, an open-source encryption technology. Because OpenSSL is used in the “secure” part of websites, Heartbleed was vulnerable to hackers who were looking to steal passwords or personal financial details. Hackers can use Heartbleed and Poodlebleed in similar ways, but Poodlebleed’s effects are less far-reaching.
Discuss on Facebook