Adobe Security Team Accidentally Posts Private PGP Key On Blog

A member of Adobe's Product Security Incident Response Team (PSIRT) accidentally posted the PGP keys for PSIRT's email account -- both the public and the private keys. According to Ars Technica, "the keys have since been taken down, and a new public key has been posted in its stead." From the report: The faux pas was spotted at 1:49pm ET by security researcher Juho Nurminen. Nurminen was able to confirm that the key was associated with the psirt@adobe.com e-mail account. To be fair to Adobe, PGP security is harder than it should be. What obviously happened is that a PSIRT team member exported a text file from PSIRT's shared webmail account using Mailvelope, the Chrome and Firefox browser extension, to add to the team's blog. But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file. Then, without realizing the error, the text file was cut/pasted directly to Adobe's PSIRT blog.

Impossible!

[fuzzyfuzzyfungus]

This article is clearly a lie. How can a mythological entity have a PGP key?

UI failure

As much as I hate Adobe and most of their shitware, I don't think it's fair to totally fault the poor person who did this.

But instead of clicking on the "public" button, the person responsible clicked on "all" and exported both keys into a text file.

If a mistake of this magnitude is a single misclick away from happening - something that's really easy to do in a moment's careless mistake of the type EVERYONE has - something is broken with that UI.

There should be warnings in red you have to override with an explicit and nontrivial action.