Yahoo has just released a new browser for iPad and iPhone, dubbed “Axis,” along with corresponding extensions for desktop versions of Chrome, Firefox, Safari, and Internet Explorer 9.
The new browser is supposed to tightly integrate search with web browsing and has a built-in feature to synchronize one’s mobile and desktop experience.
While that might interest some, there’s far more interesting news for those interested in computer security.
In a move which is likely to take away some of the shine from the new product’s launch, Yahoo mistakenly bundled its private key inside the Chrome extension version of Axis.
A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer. If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer’s certificate.
In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo.
Nik Cubrilovic, who discovered this major error, quickly took to Twitter and then to his blog to write about his discovery (along with notifying Yahoo).
Shortly thereafter, Cubrilovic used Yahoo’s own certificate to sign a forged version of the Chrome extension as a proof of concept.
Cubrilovic writes about the implications of Yahoo’s inclusion of the private certificate:
"The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension."
Yahoo has since released an updated version of the extension that removes the private key.
Now that the original private key has been leaked to the public, Yahoo has begun using a new certificate so that the old one can be revoked.
It is not entirely clear whether the Chrome browser itself can determine whether an extension has been signed with a revoked developer certificate, or how Chrome would behave in this circumstance. Cubrilovic and others plan to conduct additional tests.
If you downloaded the Yahoo Axis Chrome extension shortly after it was released, you may want to go to http://axis.yahoo.com and upgrade to the latest version.
On the other hand, it might be better to wait a few days before using Yahoo Axis to give researchers an opportunity to find additional security flaws.