There's new reason to be leery about relying on Web-based services to handle sensitive data. A pair of German researchers revealed at the ACM Conference on Computer and Communications Security in Chicago this week that they have discovered a way to decrypt data within XML documents that have been encrypted using an implementation of the World Wide Web Consortium's XML Encryption standard.
...It [XML encryption] can be used, for example, to encrypt credit card information for a payment within an XML-based purchase order, so that the general data can be accessed by everyone who needs to have access to it while access to the financial data is limited to the people or systems authorized to process it.
Fixing the vulnerability will require a total rewrite of the W3C standard. "There is no simple patch for this problem,â€ Somorovsky said in a statement issued by Ruhr University Bochum. â€œWe therefore propose to change the standard as soon as possible.â€