Yahoo Leaks Private Key!

What is the Noble Truth of Suffering?

Birth is suffering, aging is suffering, sickness is suffering, dissociation from the loved is suffering, not to get what one wants is suffering: in short the five categories affected by clinging are suffering. - Samyutta Nikaya LVI, 11

You are here: Home

Career

Friday, 25 May 2012 15:54

Yahoo Leaks Private Key!

Written by Rich Wermske

font size decrease font size increase font size
Print

Rate this item

(0 votes)

Yahoo released its Axis extension for Chrome and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo software. The result is that a miscreant could forge malicious software to run amok on unsuspecting victim computers and it would appear to be coming from Yahoo.

An Australian researcher exposed the certificate mistake, and said users should not install the extension "until the issue is clarified." He examined the extension’s source code and found the private certificate, which Yahoo uses to sign the application to prove it is genuine and unaltered.

There are myriad attacks that could be executed with a spoofed extension; the most obvious of these would be to create and sign a traffic logger to capture a victim’s Web activity. The researcher also produced a proof-of-concept of a spoofing attack and written up instructions on how to remove the extension.

Yahoo has since posted a replacement Web search extension that does not include the private half of the security certificate.

What is Axis? Axis is a new search and browsing tool from Yahoo that was released on Wednesday. It is available for desktop computers, as an extension for Google Chrome, Mozilla Firefox, Internet Explorer and Safari, as well as for iOS devices, as a stand-alone app.

Source: http://www.theregister.co.uk/2012/05/24/yahoo_ships_private_certificate_by_accident/
Source: http://securitywatch.pcmag.com/web-browsers/298353-yahoo-updates-axis-chrome-extension-removes-private-key
Source: http://www.pcworld.com/article/256182/yahoo_leaks_private_key_allows_anyone_to_build_yahoosigned_chrome_extensions.html
Source: http://www.geek.com/articles/news/yahoo-axis-chrome-extension-leaks-private-key-20120524/
Source: http://www.computerworld.com/s/article/9227453/Yahoo_leaks_private_key_allows_anyone_to_build_Yahoo_signed_Chrome_extensions

Read 420 times Last modified on Friday, 25 May 2012 17:32

Published in Career

Tagged under

Rich Wermske

I am a native Houstonian, disabled American veteran, aspiring Buddhist, and a 40-Something information technology leader, paralegal, and management wonk, living life on life's terms, with my partner of eleven years.

While I still struggle with humility, I strive to make willingness, honesty, and open-mindedness a cornerstone in all my affairs. I work hard, and I believe I play well with others. Eleven years of sobriety has taught me that none of "this" means a damn thing if I'm unwilling, dishonest, or close-minded.

While I've lived the roller-coaster, today I rarely have to defend or justify the actions of that person I see looking back at me in the mirror...

Website: www.wermske.com

Latest from Rich Wermske

Related items

More in this category: « Don't be an Ogre Chief Legal Officers and CIOs Must Work Together »

I don't agree with all of this, but it's food for thought. -rw

What is the Noble Truth of Suffering?

Yahoo Leaks Private Key!

Rich Wermske

Latest from Rich Wermske

Related items