Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Posted by timothy on from the open-source-rocks dept.

Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

57 of 85 comments (clear)

  1. Yeah... by Anonymous Coward · · Score: 3, Insightful

    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

    1. Re:Yeah... by Jeremiah+Cornelius · · Score: 3, Interesting

      Getting this back? HAH! Put that toothpaste back in the tube, Yahoo!

      They also included the letter "A" from Adobe in the source. This is a bitch.

      Exhibit A: http://37prime.com/news/wp-content/uploads/2012/05/Yahoo-Axis.jpg

      Exhibit B: http://www.mobilemarketingwatch.com/wordpress/wp-content/uploads/2012/02/Adobe-Shakes-Up-Digital-Publishing-With-Embellished-Platform.png

      --
      "Flyin' in just a sweet place,
      Never been known to fail..."
    2. Re:Yeah... by localman57 · · Score: 5, Funny

      ...this is the group of clowns I want developing my browser extensions for me. Amiright?

      It'll be fine. They all have computer science degrees. They said so on their resumes.

    3. Re:Yeah... by cpu6502 · · Score: 1

      Not the same A. Close... but the bottom leg is different.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    4. Re:Yeah... by Beardo+the+Bearded · · Score: 5, Funny

      ...this is the group of clowns I want developing my browser extensions for me. Amiright?

      Really?

      You didn't go with "bunch of yahoos"?

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    5. Re:Yeah... by bobcat7677 · · Score: 1

      I hesitate to speculate on what's happening over at Yahoo. But whatever it is, it can't be good, and hasn't been good for a long time. The "new" yahoo mail is shiite. I used to use yahoo bookmarks to keep track of links wherever I might be...they "upgraded" that and now it's dog slow and won't even allow you to view bookmarks if you have more then a certain amount per folder. Completely useless. The Yahoo "toolbar" has caused problems with more computers then I can count. First thing I do when my friends/family bring me their "slow" computer is uninstall that crap. So far not one had said they actually used it. I could go on, but you get the idea. Lots of code, with no quality in sight.

    6. Re:Yeah... by Anonymous Coward · · Score: 1

      Nothing interesting has happened at Yahoo since before 2000. Of all the Old Internet firms to survive on inertia, Yahoo is the most significant. I had an old and fairly clueless friend who managed to get a senior admin position there on personal contacts, and they basically did fuck all but ride the wave.

  2. Re:Can it be changed by oakgrove · · Score: 3, Informative

    The cert is revoked and Chrome now says "This extension is blacklisted." when you try to install it.

    --
    The soylentnews experiment has been a dismal failure.
  3. "...but not so open that your brains fall out." by jeffb+(2.718) · · Score: 5, Funny

    That's how open your source should be.

  4. Poor Yahoo by alphax45 · · Score: 4, Funny

    I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

    --
    K Man
    1. Re:Poor Yahoo by Anonymous Coward · · Score: 1, Insightful

      I think this might go down as the moment where Yahoo? lost their last shred of credibility as a technology company. And it's not this one mistake that signals the end...it's the fact that I'm not that surprised by it. If it were Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about right.

      For a long time I've said that Yahoo? needs to forget the fact that they started as a search company. They're still a serious player in online display advertising and they own a lot of properties that are disproportionately valuable in terms of CPM. They should stop trying to come up with new doohickies and focus on what they do best - selling targeted advertising to major advertisers.

      It's a shame that they didn't hit the goldmine like google or fb did, but there's no point in letting the past get in the way of the opportunities of the moment. Yahoo could still be one hell of an ad network.

    2. Re:Poor Yahoo by Anonymous Coward · · Score: 1

      I tend to agree. What'll be key here is how well and how fast they fix & reduce this faux pas. That'll reflect true dev resources, and I'm not sure they have any.

      About a decade ago they tried to hire me. Big push to assemble a dream team of web developers, big offers with full perks already long vanished in the post-boom. The top-ordained plan was to hire all of the Names their devs respected, with serious funding and empowerment of their web staff thereafter.

      They'd figured out being second-place to Google wasn't a long-term survival plan, and that they'd have to scrap hard with Google for the first place in web development just to survive.

      Sounded like a good plan. Nothing ever came of it. They didn't get me, or any of the people I knew, and from the outside it didn't look like they did anything to empower their existing teams.

      There's just something culturally wrong with the place. Which, yeah is a shame because they're sitting on quite a pile of resources. That's quite a base for a company that really wants to use web development as their cutting edge. It'd be interesting to watch.

    3. Re:Poor Yahoo by virgnarus · · Score: 3, Insightful

      Nothing like what appears to be a genuine display of pity and compassion on a dying entity being modded up as "Funny". Certainly tells you how much of a laughingstock they are.

    4. Re:Poor Yahoo by Sulphur · · Score: 1

      I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

      Maybe they should mob up with Time-Warner; its the only way to be sure.

    5. Re:Poor Yahoo by alphax45 · · Score: 1

      Thank you for seeing that I was trying to be genuine.

      --
      K Man
    6. Re:Poor Yahoo by alphax45 · · Score: 1

      Agree with you both and nice insight into why they might be in this mess.

      --
      K Man
    7. Re:Poor Yahoo by virgnarus · · Score: 1

      Yah, no prob. To be honest, no matter how big or small a business is, I always feel dismayed seeing it go down. It means jobs lost, investments sunk, and lives altered. Even worse if the company is just trying to honestly make ends meat and ends up losing out. Obviously it always a risk for those involved, and they are well aware of it, but it doesn't make the process any easier.

  5. Re:Can it be changed by GerbilSoft · · Score: 4, Informative

    It's Yahoo's private key that was leaked, not Google's. Assuming Chrome's certificate system is reasonably decent, Yahoo should be able to publish a CRL to revoke that certificate and/or key, and then generate a new one.

  6. Dumb question... by Reasonable+Facsimile · · Score: 1

    Will the exploit still work/exist after Yahoo releases a fix?

    1. Re:Dumb question... by MickyTheIdiot · · Score: 3, Informative

      Cert has been revoked according to above notes.

      So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

    2. Re:Dumb question... by Reasonable+Facsimile · · Score: 1

      Cert has been revoked according to above notes.

      So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

      Thanks (don't know how I missed that originally).

    3. Re:Dumb question... by Hotawa+Hawk-eye · · Score: 1

      Thanks (don't know how I missed that originally).

      That's what he said.

    4. Re:Dumb question... by rastos1 · · Score: 1

      Cert has been revoked ...

      At first I was wondering what does PGP (mentioned in TFS/TFA) have to do with certificates? Nothing. The file included was a .pem (PKCS private key). Another question is - wasn't the private key file protected with a passphrase?

  7. Re:Can it be changed by Anonymous Coward · · Score: 1

    The only thing that got leaked was Yahoo's private key, i.e. what is used to prove that the extension is made by Yahoo. So as long as you don't install any extensions that claim that they are made by Yahoo, you should be fine.

    Drive-by downloads/installation would be a separate issue with browser security. I have no clue if there are any exploits in the wild that allow this. (I would think that most of these would be malware installed on your computer that modified your Chrome installation as opposed to "visit a website, extension installed automatically").

  8. Re:Can it be changed by The+MAZZTer · · Score: 1

    Key signing is only a concern if you install addons from sources other than the Chrome Web Store. If you upload an app to the Chrome Web Store Google takes care of the key signing for you (you upload in a simple ZIP file and Google generates the signed CRX file for you).

    I THINK the purpose key signing is to ensure that updates to an extension are signed with the same key, but I'm not sure. Users are normally never notified about anything concerning the key used to sign any extension. At any rate whenever you install a new extension OR an update to an extension asks for new security permissions there's always a prompt you must agree to.

    So it's probably safe enough to NEVER install Axis until Yahoo releases a version that's signed with a new key. I think other extensions should be unaffected.

  9. Exuberance by virgnarus · · Score: 5, Funny

    Did the hacker exclaim "Yahoo!" after he discovered it?

    1. Re:Exuberance by ch-chuck · · Score: 1

      Maybe, but I'm sure the package maintainer at yahoo! definitely had an 'oh shit!' moment.

      --
      try { do() || do_not(); } catch (JediException err) { yoda(err); }
  10. Re:Can it be changed by mcgrew · · Score: 5, Insightful

    Should I worry about this using Chrome?

    No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?

    --
    Free Martian Whores!
  11. Original by A+Friendly+Troll · · Score: 1, Informative

    Would it have been SO FUCKING HARD to link to the original, instead to a site that won't even load as I'm writing this?

    http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file

  12. Hi by Anonymous Coward · · Score: 3, Insightful

    Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.

    This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER

    Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh

        gcc $@

    pretty cool huh?

    1. Re:Hi by Anonymous Coward · · Score: 1

      pretty cool huh?

      No... It doesn't even work!

      $ cat yahoo_compiler.sh
      gcc $@

      $ cat hello\ world.c
      #include
      int main()
      {
      puts("Hello world\n");
      return(0);
      }

      $ ./yahoo_compiler.sh hello\ world.c
      gcc: hello: No such file or directory
      gcc: world.c: No such file or directory
      gcc: no input files

      You might want to use gcc "$@"

  13. This was entirely preventable. No pity for cheapos by Anonymous Coward · · Score: 1

    This is exactly what happens when you hire too few senior level technicians.

    Yes, they are more expensive than their entry-level counterparts. But as stories like this one show, they are worth it.

  14. Absolutely gibberish article summary by Anonymous Coward · · Score: 5, Insightful

    Wake up editors:

    "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"

    Okay, perfect so far.

    "The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."

    I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.

    "Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.

    Here's a new summary:
    On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.

    Never mind the secondary-source quoting, which is also obnoxious.

    1. Re:Absolutely gibberish article summary by BattleApple · · Score: 5, Insightful

      I, for one, welcome our new anonymous summary-critiquing overlord

  15. "That little bitty ting. It's not the same." by Anonymous Coward · · Score: 1

    Vanilla Ice? Is that you?

    http://www.youtube.com/watch?v=1s0hEi8zhmg

  16. Re:Can it be changed by localman57 · · Score: 5, Funny

    Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

    My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

  17. Re:This was entirely preventable. No pity for chea by Anonymous Coward · · Score: 3, Funny

    Maybe they have a habit of hiring expensive people who claimed they were senior level in their resume?

  18. Cringe-worthy summary. by leftover · · Score: 1

    Although I did not RTFA I must comment that the summary was notably terrible in identifying what was compromised:
    "That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    How about this:
    "The value of this key depends solely on everyone else trusting that only Yahoo knows it."

    --
    Bent, folded, spindled, and mutilated.
  19. Re:Can it be changed by mwvdlee · · Score: 1

    Yes, we all know how keys public/private keys work.
    But that doesn't explain how it can hurt anybody except Yahoo now that Google has revoked it.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  20. Re:Can it be changed by localman57 · · Score: 4, Funny

    What other gaping holes did they leave open?

    Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

  21. Re:Can it be changed by idontgno · · Score: 2

    How about, "It hurts users who have loaded extensions signed with Yahoo's private key, who now have to unload those extensions and find updated versions signed with Yahoo's new private key."

    Fer instance.

    BTW, "hurt" is the drama-queen way to express the impact. "Inconvenience" is more accurate. Both for Yahoo, and users who have trusted Yahoo's old signatures, as long as the revocation is effective and quick enough to prevent Yahoo-signed malware from getting a foothold.

    If that happens, the impact to users escalates beyond "inconvenience" to "big inconvenience" or "real hurt", depending on what gets compromised. "Big inconvenience" == your machine becomes part of a botnet. "Real hurt" becomes a keylogger that transmit your banking or other personal information to an online crim who strips your bank accounts and begins to use your identity fraudulently.

    --
    Welcome to the Panopticon. Used to be a prison, now it's your home.
  22. from hacker to researcher... by kj_kabaje · · Score: 1

    ah... how times change. Or is it now white-hat is a researcher and black-hat is a hacker?

  23. Quote mistake: Private vs. public key by Anonymous Coward · · Score: 1

    "Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    The Yahoo developer will never get it right by reading /. The public key is used by the browser to verify the extension. The private key is used to sign the extension, not to verify it. The private key is to never be shipped with the browser!

  24. Re:Can it be changed by Sulphur · · Score: 1

    Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

    My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

    Is that why they call it crank; because words keep turning up like pedals on a bike?

  25. Re:Can it be changed by rrohbeck · · Score: 1

    So that's why there was a Chrome update last night? That was quick.

    --
    thegodmovie.com - watch it
  26. Re:Can it be changed by X0563511 · · Score: 1

    Supposedly this is already done. ... at least on Google's end. I don't chrome, so I have no idea if this is a manual blacklisting or a CRL.

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  27. Game Changer!!! by tunapez · · Score: 1

    My initial reservations to allowing these yahoos handle my browsing experience have been quashed. Only a luser wouldn't trust these 'professionals' with his\her datas.

    --
    Imagination drew in bold strokes, instantly serving hopes and fears, while knowledge advanced by slow increments...
  28. Amateurs by gweihir · · Score: 1

    As long as amateurs are responsible for making "professional" software, security is an illusion. Utterly pathetic, really.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  29. Re:Can it be changed by Billly+Gates · · Score: 1

    What other gaping holes did they leave open?

    Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

    What like this one?

    --
    http://saveie6.com/
  30. How Chrome extension signing works by pspmikek · · Score: 4, Informative

    I'm not sure everyone understands exactly what this file is.

    When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

    Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

    So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

    This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

    There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.

    1. Re:How Chrome extension signing works by PuZZleDucK · · Score: 1

      You sound like you know what your talking about, but from the TP article: "Yahoo officials said that they are in the process of publishing a new, repaired extension".

      I don't think Yahoo would be admitting blame or Google revoking keys in Chrome if the key was not significant.

      --
      Can a person program a new solution to a problem? Why should anyone be able to stop such a thing? -Richard Stallman
    2. Re:How Chrome extension signing works by pspmikek · · Score: 1

      To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.

      They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.

      Chrome keys are used to generate unique IDs for their extensions one key == one ID.

      They also blacklist IDs for things like malware.

      Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are generated by the developer of the add-on.

    3. Re:How Chrome extension signing works by pspmikek · · Score: 1

      This isn't really a code signing certificate, this is just a Chrome thing.

      What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.

      These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can only sign one extension for each certificate because the unique ID is based on a hash of the certificate.

      Firefox supports using these certificates to sign add-ons. That's why sometimes when you install Firefox add-ons, you see a company name in the install dialog.

  31. Re:Get your Senior Dev résumés to Yahoo by Genda · · Score: 1

    Uh, uh. uh... mustn't forget the firing!!!

  32. It's called and OpenPGP key. by MagicFab · · Score: 2

    OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.

    OpenPGP is technically a proposed standard although it is widely used.

    PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.

    GnuPG is an abbreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.

    gpg is the name of the binary executable file for GnuPG in Gnu/Linux- and Unix-nased operating systems.

    --
    Notepad specialist & FAT administrator, group training available
  33. Re:Can it be changed by Anonymous Coward · · Score: 2, Informative

    No, Chrome polls for a list of blacklisted plugins every few hours. It's entirely independent of the browser updates.

  34. Yahoo sucks by akubot · · Score: 1

    One more piece of evidence that explains Yahoo's long, slow decline as a software enterprise.