Yahoo rushes to fix Axis browser certificate leak in Chrome

Share this article:

Yahoo has issued an updated Google Chrome extension for its just-released Axis browser after the original add-on contained the private certificate used to sign it.

The company, which announced the browser on Wednesday, also revoked the exposed cert file soon after researcher Nik Cubrilovic publicly disclosed his findings. 

Axis is available as a standalone download for Apple mobile devices, such as the iPhone and iPad, and can be installed on desktops as a plug-in from browsers like Internet Explorer, Mozilla Firefox and Chrome. But Cubrilovic found that the source code contained in the Chrome add-on contains information that can be used to mimic a legitimate Yahoo program.

"The certificate file is used by Yahoo to sign the extension package, which is used by Chrome and [its] Web Store to authenticate that the package comes from Yahoo," he wrote. "With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo."

Joshua Long, a guest blogger at security firm Sophos, said this can be used to perform malicious acts.

"A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer," he explained in a Thursday blog post. "If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate. In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo."

According to reports, Yahoo has fixed the snafu. A spokesperson did not immediately respond to a request by SCMagazine.com for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Reported breaches involving zero-day bug at JPMorgan Chase, other banks

Reported breaches involving zero-day bug at JPMorgan Chase, ...

Hackers exploited a zero-day vulnerability and gained access to sensitive information from JPMorgan Chase and at least four other financial institutions, reports indicate.

Data on 97K Bugzilla users posted online for about three months

During a migration of the testing server for test builds of Bugzilla software, data on about 97,000 Bugzilla users was inadvertently posted publicly online.

Chinese national had access to data on 5M Arizona drivers, possible breach ...

Although Lizhong Fan left the U.S. in 2007, the agencies responsible for giving him access to Americans' personal information have yet to disclose the details of the case to the public.