Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Yahoo! Technology

Yahoo Includes Private Key In Source File For Axis Chrome Extension 85

Posted by timothy from the open-source-rocks dept.
Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
This discussion has been archived. No new comments can be posted.

Yahoo Includes Private Key In Source File For Axis Chrome Extension More

Yahoo Includes Private Key In Source File For Axis Chrome Extension

Comments Filter:

  • Yeah... (Score:3, Insightful)

    by Anonymous Coward on Thursday May 24, 2012 @01:51PM (#40101469)
    ...this is the group of clowns I want developing my browser extensions for me. Amiright?

  • Re:Poor Yahoo (Score:1, Insightful)

    by Anonymous Coward on Thursday May 24, 2012 @02:00PM (#40101605)

    I think this might go down as the moment where Yahoo? lost their last shred of credibility as a technology company. And it's not this one mistake that signals the end...it's the fact that I'm not that surprised by it. If it were Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about right.

    For a long time I've said that Yahoo? needs to forget the fact that they started as a search company. They're still a serious player in online display advertising and they own a lot of properties that are disproportionately valuable in terms of CPM. They should stop trying to come up with new doohickies and focus on what they do best - selling targeted advertising to major advertisers.

    It's a shame that they didn't hit the goldmine like google or fb did, but there's no point in letting the past get in the way of the opportunities of the moment. Yahoo could still be one hell of an ad network.

  • Re:Can it be changed (Score:5, Insightful)

    by mcgrew ( 92797 ) * on Thursday May 24, 2012 @02:03PM (#40101643) Homepage Journal

    Should I worry about this using Chrome?

    No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?

  • Hi (Score:3, Insightful)

    by Anonymous Coward on Thursday May 24, 2012 @02:12PM (#40101727)

    Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.

    This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER

    Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh

        gcc $@

    pretty cool huh?

  • Absolutely gibberish article summary (Score:5, Insightful)

    by Anonymous Coward on Thursday May 24, 2012 @02:20PM (#40101825)

    Wake up editors:

    "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"

    Okay, perfect so far.

    "The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."

    I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.

    "Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

    Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.

    Here's a new summary:
    On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.

    Never mind the secondary-source quoting, which is also obnoxious.

  • Re:Absolutely gibberish article summary (Score:5, Insightful)

    by BattleApple ( 956701 ) on Thursday May 24, 2012 @02:47PM (#40102085)

    I, for one, welcome our new anonymous summary-critiquing overlord

  • Re:Poor Yahoo (Score:4, Insightful)

    by virgnarus ( 1949790 ) on Thursday May 24, 2012 @02:59PM (#40102247)

    Nothing like what appears to be a genuine display of pity and compassion on a dying entity being modded up as "Funny". Certainly tells you how much of a laughingstock they are.

Slashdot Top Deals

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_

Close