https://video.infosec.exchange/videos/watch/38b1aeee-fda2-4eef-aed2-3e383c871192 CBC padding oracles are supposed to be “fixed,” but attackers are still using them to break real systems and take over accounts. In this BSides Vancouver Island talk, security researcher Wade King walks through how classic CBC padding oracle attacks work, then shows new techniques that bypass “hardened” implementations by abusing how applications read and validate decrypted data. You’ll see how subtle crypto mistakes in legacy systems and token-based authentication can quietly turn into full account takeover. This session is ideal for blue and red teamers, penetration testers, AppSec engineers, and security architects dealing with legacy crypto, custom tokens, or encryption in web apps and APIs. Key topics include: How CBC mode and padding actually interact at the byte level, How classic CBC padding oracle attacks work in practice, “Double ciphertext” tricks that revive padding oracles even with unified error messages, Recovering first-block plaintext and IVs from structured tokens (like password reset links), How weak validation, predictable IDs, and automation lead to real-world account takeover on a gambling platform, Practical guidance for migrating to authenticated encryption (AES‑GCM) or adding HMAC protection around existing CBC schemes, If you work on application security, pen testing, or crypto in production systems, this talk will sharpen how you think about “legacy but still deployed” encryption. This session was recorded live at BSides Vancouver Island 2025 in Victoria, BC at the Victoria Conference Centre. 📣 BSides Vancouver Island 2026 Conference Join us on Friday, September 25, 2026 Victoria Conference Centre, Victoria, BC 🎤 Call for Presenters (CFP) — Deadline August 14, 2026 https://www.bsidesvi.com/cfp 🤝 Sponsorship Opportunities — Deadline August 14, 2026 https://www.bsidesvi.com/cfs 💬 Join the Community Slack https://communityinviter.com/apps/visrs/visrs Subscribe for more cybersecurity talks, AppSec deep dives, and crypto/security content from BSides Vancouver Island. #CBCCrypto #PaddingOracle #AppSec #PenTesting #BlueTeam #RedTeam #BSidesVI #BSidesVancouverIsland #VictoriaBC #CyberSecurity #InfoSec #SecurityConference #CryptoSecurity Wed, 20 May 2026 22:13:46 GMT https://validator.w3.org/feed/docs/rss2.html PeerTube - https://video.infosec.exchange https://video.infosec.exchange/client/assets/images/icons/icon-1500x1500.png https://video.infosec.exchange/videos/watch/38b1aeee-fda2-4eef-aed2-3e383c871192 All rights reserved, unless otherwise specified in the terms specified at https://video.infosec.exchange/about and potential licenses granted by each content's rightholder.