The company, which announced the browser on Wednesday, also revoked the exposed cert file soon after researcher Nik Cubrilovic publicly disclosed his findings.
Axis is available as a standalone download for Apple mobile devices, such as the iPhone and iPad, and can be installed on desktops as a plug-in from browsers like Internet Explorer, Mozilla Firefox and Chrome. But Cubrilovic found that the source code contained in the Chrome add-on contains information that can be used to mimic a legitimate Yahoo program.
“The certificate file is used by Yahoo to sign the extension package, which is used by Chrome and [its] Web Store to authenticate that the package comes from Yahoo,” he wrote. “With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo.”
Joshua Long, a guest blogger at security firm Sophos, said this can be used to perform malicious acts.
“A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer,” he explained in a Thursday blog post. “If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer’s certificate. In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo.”
According to reports, Yahoo has fixed the snafu. A spokesperson did not immediately respond to a request by SCMagazine.com for comment.