Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Posted by timothy on from the open-source-rocks dept.

Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

6 of 85 comments (clear)

  1. Re:Can it be changed by oakgrove · · Score: 3, Informative

    The cert is revoked and Chrome now says "This extension is blacklisted." when you try to install it.

    --
    The soylentnews experiment has been a dismal failure.
  2. Re:Can it be changed by GerbilSoft · · Score: 4, Informative

    It's Yahoo's private key that was leaked, not Google's. Assuming Chrome's certificate system is reasonably decent, Yahoo should be able to publish a CRL to revoke that certificate and/or key, and then generate a new one.

  3. Re:Dumb question... by MickyTheIdiot · · Score: 3, Informative

    Cert has been revoked according to above notes.

    So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

  4. Original by A+Friendly+Troll · · Score: 1, Informative

    Would it have been SO FUCKING HARD to link to the original, instead to a site that won't even load as I'm writing this?

    http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file

  5. How Chrome extension signing works by pspmikek · · Score: 4, Informative

    I'm not sure everyone understands exactly what this file is.

    When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

    Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

    So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

    This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

    There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.

  6. Re:Can it be changed by Anonymous Coward · · Score: 2, Informative

    No, Chrome polls for a list of blacklisted plugins every few hours. It's entirely independent of the browser updates.