Reporting on the revelations, Dennis Fisher, a security researcher and writer with Kaspersky Labs, says that full details will be revealed at the Ekoparty security conference in Argentina when it opens this Thursday.
The issue – which he claims could affect millions of web applications – stems from the way ASP.NET, Microsoft's web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions.
A common mistake, says Fisher, is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. "However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly", he said in his Threat-Post security blog.
Fisher quotes Thai Duong, one of the researchers who discovered the flaw, as saying that he and fellow researcher Juliano Rizzo knew that ASP.NET was vulnerable several months ago, but didn't realise how serious the situation was until a couple of weeks ago.
The Kaspersky Lab writer goes on to say that the two researchers "have developed a tool specifically for use in this attack, called the Padding Oracle Exploit Tool. Their attack is an application of a technique that's been known since at least 2002, when Serge Vaudenay presented a paper at on the topic at Eurocrypt", he explained.
The attack vector seems to allow remote users to decrypt cookies lifted from an ongoing IP session. These Cookies, says Fisher, "could contain valuable data such as bank balances, social security numbers or crypto keys."
"The attacker may also be able to create authentication tickets for a vulnerable web app and abuse other processes that use the application's crypto application programming interface", he adds.