Slashdot Mirror
Yahoo Includes Private Key In Source File For Axis Chrome Extension
Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
...this is the group of clowns I want developing my browser extensions for me. Amiright?
The cert is revoked and Chrome now says "This extension is blacklisted." when you try to install it.
The soylentnews experiment has been a dismal failure.
That's how open your source should be.
I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.
K Man
It's Yahoo's private key that was leaked, not Google's. Assuming Chrome's certificate system is reasonably decent, Yahoo should be able to publish a CRL to revoke that certificate and/or key, and then generate a new one.
Did the hacker exclaim "Yahoo!" after he discovered it?
Cert has been revoked according to above notes.
So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/
Should I worry about this using Chrome?
No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?
Free Martian Whores!
Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.
This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER
Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh
gcc $@
pretty cool huh?
Wake up editors:
"Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"
Okay, perfect so far.
"The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."
I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.
"Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.
Here's a new summary:
On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.
Never mind the secondary-source quoting, which is also obnoxious.
Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.
My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.
Maybe they have a habit of hiring expensive people who claimed they were senior level in their resume?
What other gaping holes did they leave open?
Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....
How about, "It hurts users who have loaded extensions signed with Yahoo's private key, who now have to unload those extensions and find updated versions signed with Yahoo's new private key."
Fer instance.
BTW, "hurt" is the drama-queen way to express the impact. "Inconvenience" is more accurate. Both for Yahoo, and users who have trusted Yahoo's old signatures, as long as the revocation is effective and quick enough to prevent Yahoo-signed malware from getting a foothold.
If that happens, the impact to users escalates beyond "inconvenience" to "big inconvenience" or "real hurt", depending on what gets compromised. "Big inconvenience" == your machine becomes part of a botnet. "Real hurt" becomes a keylogger that transmit your banking or other personal information to an online crim who strips your bank accounts and begins to use your identity fraudulently.
Welcome to the Panopticon. Used to be a prison, now it's your home.
I'm not sure everyone understands exactly what this file is.
When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.
Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.
So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.
This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."
There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.
OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.
OpenPGP is technically a proposed standard although it is widely used.
PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.
GnuPG is an abbreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.
gpg is the name of the binary executable file for GnuPG in Gnu/Linux- and Unix-nased operating systems.
Notepad specialist & FAT administrator, group training available
No, Chrome polls for a list of blacklisted plugins every few hours. It's entirely independent of the browser updates.