Yahoo rushes to fix Axis browser certificate leak in Chrome

Share this article:

Yahoo has issued an updated Google Chrome extension for its just-released Axis browser after the original add-on contained the private certificate used to sign it.

The company, which announced the browser on Wednesday, also revoked the exposed cert file soon after researcher Nik Cubrilovic publicly disclosed his findings. 

Axis is available as a standalone download for Apple mobile devices, such as the iPhone and iPad, and can be installed on desktops as a plug-in from browsers like Internet Explorer, Mozilla Firefox and Chrome. But Cubrilovic found that the source code contained in the Chrome add-on contains information that can be used to mimic a legitimate Yahoo program.

"The certificate file is used by Yahoo to sign the extension package, which is used by Chrome and [its] Web Store to authenticate that the package comes from Yahoo," he wrote. "With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo."

Joshua Long, a guest blogger at security firm Sophos, said this can be used to perform malicious acts.

"A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer," he explained in a Thursday blog post. "If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate. In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo."

According to reports, Yahoo has fixed the snafu. A spokesperson did not immediately respond to a request by SCMagazine.com for comment.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.