Researchers have released software that exposes private information and
executes arbitrary code on sensitive websites by exploiting weaknesses in a
widely used web development technology.
Short for Padding Oracle Exploitation Tool, Poet is able to decrypt secret
data encrypted by the JavaServer Faces web development framework without knowing
the secret key. Attackers can use the technique to access private customer data
on websites operated by banks, e-commerce companies and other businesses,
according to a paper (PDF)
released in February by researchers Juliano Rizzo and Thai Duong. In some cases,
the exploit can be used to run malicious software on the underlying server.