The problem here is that the decryption function is leaking information about the outcome of the encryption. When encrypting a set of data, the encryption function normally requires the data to be divided into blocks of a certain size. The last block is padded to a full block. If during decryption that padding cannot be properly removed (is seen as invalid), many encryption functions throw an exception, and some websites reveal this information to the end user through error pages or error codes.
The algorithm for exploiting these padding oracles, is described in Practical Padding Oracle Attacks (by Juliano Rizzo and Thai Duongy) and Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption (by J. Black and H. Urtubia).
There is a really good explanation of padding, Cipher Block Chaining (CBC) encryption and padding oracles here: Automated Padding Oracle Attacks with PadBuster.