Google researchers have found a fresh vulnerability in website encryption that could let hackers steal passwords and other private information.
The glitch, dubbed "Poodle", affects the 18-year-old SSL 3.0 protocol, which is used to encrypt information sent between a user and a web server.
While SSL 3.0 has been superseded, it remains a common fallback when interoperability bugs cause newer protocols to fail.
The researchers warn in a new research paper that an attacker could trigger SSL 3.0 by causing connection failures, and then intercept browser "cookies", including passwords.
First, however, the attacker would need to launch a "man-in-the-middle" attack by controlling a network.
This is commonly accomplished by creating a rogue Wi-Fi hotspot in public.
The best defence is to disable SSL 3.0 support altogether, the researchers wrote.
They said Google will start testing changes to its Chrome browser to prevent fallback to SSL 3.0.
"This change will break some sites and those sites will need to be updated quickly," they wrote in a blog post on Wednesday.
"In the coming months, we hope to remove support for SSL 3.0 completely from our client products."
The vulnerability is not believed to be as dangerous as the Heartbleed bug, which allowed hackers to steal large quantities of data, or Shellshock, which let hackers control computers remotely.
