Yahoo! Launches Axis Browser Extension with Major Security Error
The source package contains the company's private certificate file used to sign the extension, according to security researcher Nik Cubrilovic.
"I installed the Chrome extension ... with the idea of checking out the source code," Cubrilovic writes. "The first thing I noticed is that the source package contains their private certificate file used to sign the extension."
"Since private keys allow developers to digitally sign new extensions or update their old ones, they should always be kept secret," writes ITworld's Lucian Constantin. "In order to prove the implications of the private key leak, Cubrilovic created a proof-of-concept Chrome extension that displays an alert on every visited website and signed it with Yahoo's private key."
"There are all sorts of attacks that could be executed with a spoofed extension; the most obvious of these, as Cubrilovic notes, would be to create and sign a traffic logger to capture a victim’s web activity," writes The Register's Richard Chirgwin.
"To their credit, Yahoo! moved quickly," writes Geek.com's Lee Mathews. "They pulled down the original extension, issued a new private key, and then repacked the Axis .CRX without spilling the beans a second time. The original key has been nuked, so it can’t be used for nefarious purposes at this point. That’s a good thing, since the whole thing is exposed in Cubrilovic’s images and anyone with a fair amount of patience could simply type it in and save it with the original file name."