Yahoo rushes to fix Axis browser certificate leak in Chrome

Share this article:

Yahoo has issued an updated Google Chrome extension for its just-released Axis browser after the original add-on contained the private certificate used to sign it.

The company, which announced the browser on Wednesday, also revoked the exposed cert file soon after researcher Nik Cubrilovic publicly disclosed his findings. 

Axis is available as a standalone download for Apple mobile devices, such as the iPhone and iPad, and can be installed on desktops as a plug-in from browsers like Internet Explorer, Mozilla Firefox and Chrome. But Cubrilovic found that the source code contained in the Chrome add-on contains information that can be used to mimic a legitimate Yahoo program.

"The certificate file is used by Yahoo to sign the extension package, which is used by Chrome and [its] Web Store to authenticate that the package comes from Yahoo," he wrote. "With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo."

Joshua Long, a guest blogger at security firm Sophos, said this can be used to perform malicious acts.

"A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer," he explained in a Thursday blog post. "If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate. In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo."

According to reports, Yahoo has fixed the snafu. A spokesperson did not immediately respond to a request by SCMagazine.com for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.