Comment 9 for bug 1175367

> Can you please elaborate? How does attacker "modify the output of the decryption"? If attacker don't have to right decryption key, the decrypted output will be garbage and won't be interpreted as token data.

An attacker modifies the output of the decryption by changing bytes in the ciphertext. The encryption algorithm does not, by itself, reject this, and as you noted, this muddles some of the output. It is not true that it muddles all the output, however. Specifically, in the cipher mode currently used, modified bytes in the ciphertext will affect one block of output. If any significant amount of data is stored in the cache, this can allow strategic corruption of only a portion of the encrypted message, leaking information about the encrypted data or compromising client functionality.

For some examples of attacks on similar systems, I recommend reading these papers:
http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf (the Vaudenay paper - a really good introduction)
http://eprint.iacr.org/2005/033.pdf (an attack on PGP's particular use of CFB)
http://static.usenix.org/event/woot10/tech/full_papers/Rizzo.pdf (the SSL oracle paper I mentioned above)

For further reading, I recommend Cryptography Engineering, by Ferguson, Schneier and Kohno.
http://www.amazon.com/dp/0470474246/