Yahoo rushes to fix Axis browser certificate leak in Chrome

Share this article:

Yahoo has issued an updated Google Chrome extension for its just-released Axis browser after the original add-on contained the private certificate used to sign it.

The company, which announced the browser on Wednesday, also revoked the exposed cert file soon after researcher Nik Cubrilovic publicly disclosed his findings. 

Axis is available as a standalone download for Apple mobile devices, such as the iPhone and iPad, and can be installed on desktops as a plug-in from browsers like Internet Explorer, Mozilla Firefox and Chrome. But Cubrilovic found that the source code contained in the Chrome add-on contains information that can be used to mimic a legitimate Yahoo program.

"The certificate file is used by Yahoo to sign the extension package, which is used by Chrome and [its] Web Store to authenticate that the package comes from Yahoo," he wrote. "With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo."

Joshua Long, a guest blogger at security firm Sophos, said this can be used to perform malicious acts.

"A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer," he explained in a Thursday blog post. "If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate. In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo."

According to reports, Yahoo has fixed the snafu. A spokesperson did not immediately respond to a request by SCMagazine.com for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.