Forgot your password?
typodupeerror
Security

+ - Yahoo Includes Private Key in Source File For Axis Chrome Extension->

Submitted by Trailrunner7
Trailrunner7 (1100399) writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic.

The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. Yahoo is touting the browser's predictive search capability, which will guess what the user is trying to search for as she is typing and bring up thumbnail images of potential matches.

But that's not the thing that got the most attention. Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Yahoo Includes Private Key in Source File For Axis Chrome Extension

Comments Filter:

At these prices, I lose money -- but I make it up in volume. -- Peter G. Alaquon

Working...