Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Posted by timothy on from the open-source-rocks dept.

Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

12 of 85 comments (clear)

  1. "...but not so open that your brains fall out." by jeffb+(2.718) · · Score: 5, Funny

    That's how open your source should be.

  2. Poor Yahoo by alphax45 · · Score: 4, Funny

    I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

    --
    K Man
  3. Re:Can it be changed by GerbilSoft · · Score: 4, Informative

    It's Yahoo's private key that was leaked, not Google's. Assuming Chrome's certificate system is reasonably decent, Yahoo should be able to publish a CRL to revoke that certificate and/or key, and then generate a new one.

  4. Exuberance by virgnarus · · Score: 5, Funny

    Did the hacker exclaim "Yahoo!" after he discovered it?

  5. Re:Can it be changed by mcgrew · · Score: 5, Insightful

    Should I worry about this using Chrome?

    No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?

    --
    Free Martian Whores!
  6. Re:Yeah... by localman57 · · Score: 5, Funny

    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

    It'll be fine. They all have computer science degrees. They said so on their resumes.

  7. Absolutely gibberish article summary by Anonymous Coward · · Score: 5, Insightful

    Wake up editors:

    "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"

    Okay, perfect so far.

    "The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."

    I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.

    "Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.

    Here's a new summary:
    On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.

    Never mind the secondary-source quoting, which is also obnoxious.

    1. Re:Absolutely gibberish article summary by BattleApple · · Score: 5, Insightful

      I, for one, welcome our new anonymous summary-critiquing overlord

  8. Re:Can it be changed by localman57 · · Score: 5, Funny

    Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

    My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

  9. Re:Yeah... by Beardo+the+Bearded · · Score: 5, Funny

    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

    Really?

    You didn't go with "bunch of yahoos"?

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  10. Re:Can it be changed by localman57 · · Score: 4, Funny

    What other gaping holes did they leave open?

    Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

  11. How Chrome extension signing works by pspmikek · · Score: 4, Informative

    I'm not sure everyone understands exactly what this file is.

    When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

    Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

    So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

    This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

    There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.