Feeds

back to article Yahoo! leaks! private! key! in! Axis! Chrome! debut!

Yahoo! today released its Axis extension for Chrome – and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software. Australian entrepreneur Nik Cubrilovic, who last year garnered notice for identifying Facebook's tracking cookies, revealed the …

COMMENTS

This topic is closed for new posts.

Chrome is a piece of malicious ...

.... software anyway. Keeps wanting to get installed on your system no matter how many times you say NO.

5
3
Anonymous Coward

Re: Chrome is a piece of malicious ...

Indeed, especially Chrome versions WITH RLZ tracking.

Nice trick there Google, washing your hands by offering a RLZ free version from your official site, but dumping the RLZ-laden one on your "partners".

1
1
Anonymous Coward

Re: Chrome is a piece of malicious ...

You can download a non-googlified version of Chrome (Chromium, the underlying browser) but have to go to http://www.chromium.org/getting-involved/download-chromium (cause that's an obvious address).

1
0
Alien

Re: Chrome is a piece of malicious ...

<sarcasm>Yes, RLZ is so scary. It totally violates your privacy...</sarcasm>

http://code.google.com/p/rlz/wiki/HowToReadAnRlzString

0
0
Facepalm

uh-oh.. bad career move

i wouldn't want to be standing in the shoes of the developer that forgot to take out that key :P

3
0

Re: uh-oh.. bad career move

Or the QA / peer reviewer that missed it...

0
0

Re: uh-oh.. bad career move

I can't imagine why they needed to put the private key in in the first place. The private key should stay with the signer. Is every Yahoo developer given a copy?

0
0
Silver badge
Happy

Yahoo! - the comedy gift that just keeps on giving :-)

I so hope they don't implode totally - their never ending antics are fantastic entertainment!

2
0
Unhappy

Re: Yahoo! - the comedy gift that just keeps on giving :-)

Their fall from grace has been both hilarious and kind of disappointing.

0
0

Re: Yahoo! - the comedy gift that just keeps on giving :-)

I shouldn't but I still feel sorry for the brand they destroy.

I never took their search serious, always considered them an internet utility. I just wish the days of inventions like "my Yahoo" (which is still ages ahead), full feature environments in instant messenger, news/ video and really wasted Yahoo finance/ broadband come back.

0
0

Coming some the outrageous comedy, Yahoo! The Movie.

0
0
FAIL

What's the point of pulling the package that had the private key in it? The private key is probably in the hands of miscreants now. The key needs to be revoked ASAP, and blacklisted in any browser or other software that uses that type of certificate to authenticate plugins and extensions.

0
0

Damage limitation? Blacklisting the key and then changing anything that uses that key to use a new one would take time. Therefore as a temporary measure removing the key would be an attempt at trying to limit the dispersal. Pretty standard thing to do under the circumstances i would think?

0
0

Damage limitation should be thought of limiting the damage of the already exposed key, not in terms of "should we stop distributing they key" (which should also happen)

It shouldn't take long to get a new private key signed by a certificate authority. They shouldn't have to do a full QA cycle on any re-released code as all they're doing is changing the signing certificate.

Is it more work and could take a few hours longer? Probably.

However, we've already REPEATEDLY seen situations where code signing keys have been used to inject malware without the popup requesting you acknowledge running unsigned code. Virus/trojan writers are likely already preparing their new code with this key as I type.

This demonstrates another example of the failure of trust chains. All the trust chain says is "CA X trusts that Company Y is who they say they are". but its been abused to say "this code is OK to install as the chain is valid" as the OS has a key from the CA. The entire process needs to be rethought.

0
0
Anonymous Coward

Is the replacement package signed with the same key?

3
0
Thumb Up

hahaha wouldn't that be a neat trick :D

0
0

Lovely name (!)

Call a browser extension "axis" which is associated with nazis and recently terrorists.

1
0

Re: Lovely name (!)

So the Earth spins on a Nazi inclined at 23.5 degrees?

0
0

Re: Lovely name (!)

I am just telling that axis, especially in certain areas have a bad feeling associated with it.

Like, you should ask Intel and others why they directly jumped to 667 mhz, not 666 or those super high tech buildings at China and Hong Kong don't have 4th floor or no German company will use number "88" as model/ version.

Actually, companies like Apple and Microsoft have large word lists consisting of things like that and they are even careful with some weird dll's filename buried in 5 folders deep. Amazon is said to have consulted with sociology experts and Turkish personnel while naming "mechanical Turk" whether it will offend Turks or not.

0
0
Gold badge
Coat

Re: Lovely name (!)

Reichsfuhrer Atlas?

0
0
This topic is closed for new posts.