Yahoo leaks its own private key via new Axis Chrome extension

Filed Under: Data loss, Featured, Google Chrome, Mobile, Vulnerability

Tarnished Axis logoYahoo has just released a new browser for iPad and iPhone, dubbed "Axis," along with corresponding extensions for desktop versions of Chrome, Firefox, Safari, and Internet Explorer 9.

The new browser is supposed to tightly integrate search with web browsing and has a built-in feature to synchronize one's mobile and desktop experience.

While that might interest some, there's far more interesting news for those interested in computer security.

In a move which is likely to take away some of the shine from the new product's launch, Yahoo mistakenly bundled its private key inside the Chrome extension version of Axis.

Oops.

Yahoo's private key revealed

A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer. If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate.

In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo.

Nik Cubrilovic, who discovered this major error, quickly took to Twitter and then to his blog to write about his discovery (along with notifying Yahoo).

Shortly thereafter, Cubrilovic used Yahoo's own certificate to sign a forged version of the Chrome extension as a proof of concept.

Cubrilovic writes about the implications of Yahoo's inclusion of the private certificate:

"The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension."

Yahoo has since released an updated version of the extension that removes the private key.

Now that the original private key has been leaked to the public, Yahoo has begun using a new certificate so that the old one can be revoked.

It is not entirely clear whether the Chrome browser itself can determine whether an extension has been signed with a revoked developer certificate, or how Chrome would behave in this circumstance. Cubrilovic and others plan to conduct additional tests.

If you downloaded the Yahoo Axis Chrome extension shortly after it was released, you may want to go to http://axis.yahoo.com and upgrade to the latest version.

On the other hand, it might be better to wait a few days before using Yahoo Axis to give researchers an opportunity to find additional security flaws.

, , , , , ,

You might like

6 Responses to Yahoo leaks its own private key via new Axis Chrome extension

  1. Copy, paste, oops.

    I believe Chrome uses IE's certificate manager, so it's just a matter of the OCSP protocol to revoke the cert.

  2. Paul · 691 days ago

    I'd be interested in hearing the community comments on comparison between the Google/Microsoft public disclosure and this one.

  3. Karel P Kerezman · 691 days ago

    This would be bigger if anyone still installed Yahoo-branded products anymore...

    (I kid! This is actually still pretty big, if mostly as a test to see how different vendors handle the fallout.)

  4. Rick · 691 days ago

    "If you downloaded the Yahoo Axis Chrome extension shortly after it was released, you may want to go to http://axis.yahoo.com and upgrade to the latest version."

    An even better suggestion - just avoid it altogether.

  5. Wolf_Star · 691 days ago

    I only once allowed anything Yahoo on my computer and immediately regretted it. As far as I was and am concerned, they have been, are and always will be a virus. This latest bit of stupidity only reinforces that opinion.

  6. Internaut · 691 days ago

    Am I surprised? - Nope!

    Just because Yahoo is big doesn't mean they are a safe and secure Internet giant ... as proven several times.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Joshua Long has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Computer and Information Security. Josh's research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles featuring his research and musings on malware and security on his blog security.thejoshmeister.com, and follow him on Twitter and Google+.