Two researchers have released a tool which can be used to crack web server-encrypted session data contained in cookies and parameters hidden in HTML pages. The method used by Juliano Rizzo and Thai Duong's Padding Oracle Exploitation Tool (Poet) can also be used to crack CAPTCHAS. Poet utilises the Padding Oracle Attack, first discovered in 2002, to decrypt cypher block chaining (CBC) mode encrypted data without the key. Web applications such as those generated using the popular JavaServer Faces framework (JSF) are affected. The Padding Oracle Attack makes use of the fact that during encryption individual blocks must always be 8 or ...