Flaws in the way web applications handle encrypted session cookies might leave online banking accounts open to attack. The security risk stems from a cryptographic weakness in web applications developed using Microsoft's ASP.Net framework.
ASP.Net uses the US government-approved AES encryption algorithm to secure the cookies generated by applications during online banking sessions and the like.

However implementation flaws in how ASP.NET handles errors when the encrypted data in a cookie has been modified give clues to a potential attacker that would allow him to narrow down the possible range of the keys used in an online banking session. Attacks based on this weakness might allow a hacker to decrypt sniffed cookies or forge authentications tickets, among other attacks.

The link for this article located at The Register UK is no longer available.