ASP.Net Web apps face risk of widespread crypto attack


Web apps built on ASP.Net may face a new wave of crypto attacks, putting sensitive data as — well as Microsoft’s already tarnished reputation for insecurity — at risk.

The so-called padding oracle attack affects every ASP.Net Web application, according to security researcher Juliano Rizzo, enabling an attacker to decrypt cookies’ view states, passwords, user data (such as Social Security numbers), and anything else encrypted using the framework’s API. Beyond getting their hands on sensitive data, malicious hackers could use the exploit to forge authentication tickets and access applications with admin rights…