Named as CRIME by the researchers, the threat exists due to a weakness in a special feature of TLS 1.0. However name of the feature has not been exposed yet. Official sources confirm that researchers Rizzo and Duong found this flaw. After obtaining the cookie, they could enter the website being used by the user and login with his / her credentials.
HTTPS is ideally designed to prevent such hijacks as it encrypts session cookies. This happens when they are stored in the browser or are in transit. However the new attack developed by Rizzo and Duong can decrypt the session cookies.
The attack can be attempted in two ways. In the first method the user needs to be directed to a rogue website. The other technique can be adopted if the hacker has control over the user's network. This happens by injecting the compromise code into an existing HTTP connection.
The finding also reveals that this specific attack does not need browser plug-ins to work. While researchers used Java Script to do the testing quicker, however it can happen without it too.