Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Submission + - Yahoo Includes Private Key in Source File For Axis Chrome Extension (

Trailrunner7 writes: Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic.

The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. Yahoo is touting the browser's predictive search capability, which will guess what the user is trying to search for as she is typing and bring up thumbnail images of potential matches.

But that's not the thing that got the most attention. Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Yahoo Includes Private Key in Source File For Axis Chrome Extension

Comments Filter:

Statistics are no substitute for judgement. -- Henry Clay