Forgot your password?
typodupeerror
Security Yahoo! Technology

Yahoo Includes Private Key In Source File For Axis Chrome Extension 85

Posted by timothy
from the open-source-rocks dept.
Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
This discussion has been archived. No new comments can be posted.

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Comments Filter:
  • Yeah... (Score:3, Insightful)

    by Anonymous Coward on Thursday May 24, 2012 @01:51PM (#40101469)
    ...this is the group of clowns I want developing my browser extensions for me. Amiright?
  • by jeffb (2.718) (1189693) on Thursday May 24, 2012 @01:55PM (#40101519)

    That's how open your source should be.

  • Poor Yahoo (Score:5, Funny)

    by alphax45 (675119) <kyle.alfred@gCOF ... m minus caffeine> on Thursday May 24, 2012 @01:55PM (#40101535)
    I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.
    • Re: (Score:1, Insightful)

      by Anonymous Coward

      I think this might go down as the moment where Yahoo? lost their last shred of credibility as a technology company. And it's not this one mistake that signals the end...it's the fact that I'm not that surprised by it. If it were Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about right.

      For a long time I've said that Yahoo? needs to forget the fact that they started as a search company. They're still a serious player in online display advertising and they own a lot of properties that ar

      • by Anonymous Coward

        I tend to agree. What'll be key here is how well and how fast they fix & reduce this faux pas. That'll reflect true dev resources, and I'm not sure they have any.

        About a decade ago they tried to hire me. Big push to assemble a dream team of web developers, big offers with full perks already long vanished in the post-boom. The top-ordained plan was to hire all of the Names their devs respected, with serious funding and empowerment of their web staff thereafter.

        They'd figured out being second-place to Goo

    • This is exactly what happens when you hire too few senior level technicians.

      Yes, they are more expensive than their entry-level counterparts. But as stories like this one show, they are worth it.

      • Re: (Score:3, Funny)

        by Anonymous Coward
        Maybe they have a habit of hiring expensive people who claimed they were senior level in their resume?
    • Re:Poor Yahoo (Score:4, Insightful)

      by virgnarus (1949790) on Thursday May 24, 2012 @02:59PM (#40102247)

      Nothing like what appears to be a genuine display of pity and compassion on a dying entity being modded up as "Funny". Certainly tells you how much of a laughingstock they are.

      • by alphax45 (675119)
        Thank you for seeing that I was trying to be genuine.
        • Yah, no prob. To be honest, no matter how big or small a business is, I always feel dismayed seeing it go down. It means jobs lost, investments sunk, and lives altered. Even worse if the company is just trying to honestly make ends meat and ends up losing out. Obviously it always a risk for those involved, and they are well aware of it, but it doesn't make the process any easier.

    • by Sulphur (1548251)

      I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

      Maybe they should mob up with Time-Warner; its the only way to be sure.

  • Will the exploit still work/exist after Yahoo releases a fix?
    • Re:Dumb question... (Score:4, Informative)

      by MickyTheIdiot (1032226) on Thursday May 24, 2012 @02:00PM (#40101599) Homepage Journal

      Cert has been revoked according to above notes.

      So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

      • Cert has been revoked according to above notes.

        So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

        Thanks (don't know how I missed that originally).

      • by rastos1 (601318)

        Cert has been revoked ...

        At first I was wondering what does PGP (mentioned in TFS/TFA) have to do with certificates? Nothing. The file included was a .pem (PKCS private key). Another question is - wasn't the private key file protected with a passphrase?

  • This is great.

    It's the final notice that every person with any competency has at Yahoo has left the building (with the fake CS degrees in tow).

  • Exuberance (Score:5, Funny)

    by virgnarus (1949790) on Thursday May 24, 2012 @01:59PM (#40101595)

    Did the hacker exclaim "Yahoo!" after he discovered it?

    • by ch-chuck (9622)

      Maybe, but I'm sure the package maintainer at yahoo! definitely had an 'oh shit!' moment.

  • Original (Score:1, Informative)

    Would it have been SO FUCKING HARD to link to the original, instead to a site that won't even load as I'm writing this?

    http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file [appspot.com]

  • Hi (Score:3, Insightful)

    by Anonymous Coward on Thursday May 24, 2012 @02:12PM (#40101727)

    Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.

    This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER

    Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh

        gcc $@

    pretty cool huh?

    • by Anonymous Coward

      pretty cool huh?

      No... It doesn't even work!

      $ cat yahoo_compiler.sh
      gcc $@

      $ cat hello\ world.c
      #include
      int main()
      {
      puts("Hello world\n");
      return(0);
      }

      $ ./yahoo_compiler.sh hello\ world.c
      gcc: hello: No such file or directory
      gcc: world.c: No such file or directory
      gcc: no input files

      You might want to use gcc "$@"

  • by Anonymous Coward on Thursday May 24, 2012 @02:20PM (#40101825)

    Wake up editors:

    "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"

    Okay, perfect so far.

    "The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."

    I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.

    "Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.

    Here's a new summary:
    On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.

    Never mind the secondary-source quoting, which is also obnoxious.

  • Although I did not RTFA I must comment that the summary was notably terrible in identifying what was compromised:
    "That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    How about this:
    "The value of this key depends solely on everyone else trusting that only Yahoo knows it."

  • ah... how times change. Or is it now white-hat is a researcher and black-hat is a hacker?
  • by Anonymous Coward

    "Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    The Yahoo developer will never get it right by reading /. The public key is used by the browser to verify the extension. The private key is used to sign the extension, not to verify it. The private key is to never be shipped with the browser!

  • Never embed a private key in your application, ever. Did I mention never?

    No mater how you impliment it, someone is going to reverse engineer your app (for fun, or profit) and will discover your darkest of dark secrets. Once they find your key the game is over. There is no going back. Whatever that key is protecting is now open to a hackers delight field day worthy of its own Defcon capture the flag compitition. If you are lucky some nice grey-hat hacker will tell you before you get in too much trouble, if

  • My initial reservations to allowing these yahoos handle my browsing experience have been quashed. Only a luser wouldn't trust these 'professionals' with his\her datas.
  • As long as amateurs are responsible for making "professional" software, security is an illusion. Utterly pathetic, really.

  • by pspmikek (195542) on Thursday May 24, 2012 @05:50PM (#40104313) Homepage

    I'm not sure everyone understands exactly what this file is.

    When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

    Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

    So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

    This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

    There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.

    • You sound like you know what your talking about, but from the TP article: "Yahoo officials said that they are in the process of publishing a new, repaired extension".

      I don't think Yahoo would be admitting blame or Google revoking keys in Chrome if the key was not significant.

      • by pspmikek (195542)

        To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.

        They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.

        Chrome keys are used to generate unique IDs for their extensions one key == one ID.

        They also blacklist IDs for things like malware.

        Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are

  • by MagicFab (7234) on Thursday May 24, 2012 @11:06PM (#40106221) Homepage

    OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.

    OpenPGP is technically a proposed standard although it is widely used.

    PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.

    GnuPG is an abbreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.

    gpg is the name of the binary executable file for GnuPG in Gnu/Linux- and Unix-nased operating systems.

  • One more piece of evidence that explains Yahoo's long, slow decline as a software enterprise.

We will have solar energy as soon as the utility companies solve one technical problem -- how to run a sunbeam through a meter.

Working...