Yahoo! Launches Axis Browser Extension with Major Security Error

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Australian security researcher Nik Cubrilovic recently uncovered a significant security error in the new Yahoo! Axis browser, which operates as an extension to Chrome, Firefox and Internet Explorer.

"I installed the Chrome extension ... with the idea of checking out the source code," Cubrilovic writes. "The first thing I noticed is that the source package contains their private certificate file used to sign the extension."

"Since private keys allow developers to digitally sign new extensions or update their old ones, they should always be kept secret," writes ITworld's Lucian Constantin. "In order to prove the implications of the private key leak, Cubrilovic created a proof-of-concept Chrome extension that displays an alert on every visited website and signed it with Yahoo's private key."

"There are all sorts of attacks that could be executed with a spoofed extension; the most obvious of these, as Cubrilovic notes, would be to create and sign a traffic logger to capture a victim’s web activity," writes The Register's Richard Chirgwin.

"To their credit, Yahoo! moved quickly," writes Geek.com's Lee Mathews. "They pulled down the original extension, issued a new private key, and then repacked the Axis .CRX without spilling the beans a second time. The original key has been nuked, so it can’t be used for nefarious purposes at this point. That’s a good thing, since the whole thing is exposed in Cubrilovic’s images and anyone with a fair amount of patience could simply type it in and save it with the original file name."