Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Posted by timothy on from the open-source-rocks dept.

Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

8 of 85 comments (clear)

  1. "...but not so open that your brains fall out." by jeffb+(2.718) · · Score: 5, Funny

    That's how open your source should be.

  2. Poor Yahoo by alphax45 · · Score: 4, Funny

    I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

    --
    K Man
  3. Exuberance by virgnarus · · Score: 5, Funny

    Did the hacker exclaim "Yahoo!" after he discovered it?

  4. Re:Yeah... by localman57 · · Score: 5, Funny

    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

    It'll be fine. They all have computer science degrees. They said so on their resumes.

  5. Re:Can it be changed by localman57 · · Score: 5, Funny

    Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

    My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

  6. Re:This was entirely preventable. No pity for chea by Anonymous Coward · · Score: 3, Funny

    Maybe they have a habit of hiring expensive people who claimed they were senior level in their resume?

  7. Re:Yeah... by Beardo+the+Bearded · · Score: 5, Funny

    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

    Really?

    You didn't go with "bunch of yahoos"?

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  8. Re:Can it be changed by localman57 · · Score: 4, Funny

    What other gaping holes did they leave open?

    Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....