Yahoo Includes Private Key In Source File For Axis Chrome Extension 85
Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
Yeah... (Score:3, Insightful)
Re:Yeah... (Score:4, Interesting)
Getting this back? HAH! Put that toothpaste back in the tube, Yahoo!
They also included the letter "A" from Adobe in the source. This is a bitch.
Exhibit A: http://37prime.com/news/wp-content/uploads/2012/05/Yahoo-Axis.jpg [37prime.com]
Exhibit B: http://www.mobilemarketingwatch.com/wordpress/wp-content/uploads/2012/02/Adobe-Shakes-Up-Digital-Publishing-With-Embellished-Platform.png [mobilemarketingwatch.com]
Re: (Score:2)
Not the same A. Close... but the bottom leg is different.
"That little bitty ting. It's not the same." (Score:1)
Vanilla Ice? Is that you?
http://www.youtube.com/watch?v=1s0hEi8zhmg
Re:Yeah... (Score:5, Funny)
...this is the group of clowns I want developing my browser extensions for me. Amiright?
It'll be fine. They all have computer science degrees. They said so on their resumes.
Re:Yeah... (Score:5, Funny)
...this is the group of clowns I want developing my browser extensions for me. Amiright?
Really?
You didn't go with "bunch of yahoos"?
Re: (Score:2)
Re: (Score:1)
Nothing interesting has happened at Yahoo since before 2000. Of all the Old Internet firms to survive on inertia, Yahoo is the most significant. I had an old and fairly clueless friend who managed to get a senior admin position there on personal contacts, and they basically did fuck all but ride the wave.
Re:Can it be changed (Score:4, Informative)
Re: (Score:2)
So that's why there was a Chrome update last night? That was quick.
Re: (Score:2, Informative)
No, Chrome polls for a list of blacklisted plugins every few hours. It's entirely independent of the browser updates.
Re: (Score:1)
Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.
Re:Can it be changed (Score:5, Funny)
Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.
My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.
Re: (Score:2)
Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.
My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.
Is that why they call it crank; because words keep turning up like pedals on a bike?
Re: (Score:2)
Yes, we all know how keys public/private keys work.
But that doesn't explain how it can hurt anybody except Yahoo now that Google has revoked it.
Re: (Score:3)
How about, "It hurts users who have loaded extensions signed with Yahoo's private key, who now have to unload those extensions and find updated versions signed with Yahoo's new private key."
Fer instance.
BTW, "hurt" is the drama-queen way to express the impact. "Inconvenience" is more accurate. Both for Yahoo, and users who have trusted Yahoo's old signatures, as long as the revocation is effective and quick enough to prevent Yahoo-signed malware from getting a foothold.
If that happens, the impact to users e
Re:Can it be changed (Score:5, Informative)
Re: (Score:2)
Supposedly this is already done. ... at least on Google's end. I don't chrome, so I have no idea if this is a manual blacklisting or a CRL.
Re: (Score:1)
The only thing that got leaked was Yahoo's private key, i.e. what is used to prove that the extension is made by Yahoo. So as long as you don't install any extensions that claim that they are made by Yahoo, you should be fine.
Drive-by downloads/installation would be a separate issue with browser security. I have no clue if there are any exploits in the wild that allow this. (I would think that most of these would be malware installed on your computer that modified your Chrome installation as opposed to "
Re: (Score:2)
Key signing is only a concern if you install addons from sources other than the Chrome Web Store. If you upload an app to the Chrome Web Store Google takes care of the key signing for you (you upload in a simple ZIP file and Google generates the signed CRX file for you).
I THINK the purpose key signing is to ensure that updates to an extension are signed with the same key, but I'm not sure. Users are normally never notified about anything concerning the key used to sign any extension. At any rate whenever
Re:Can it be changed (Score:5, Insightful)
Should I worry about this using Chrome?
No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?
Re:Can it be changed (Score:5, Funny)
What other gaping holes did they leave open?
Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....
Re: (Score:1)
What other gaping holes did they leave open?
Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....
What like this one? [clownsong.com]
"...but not so open that your brains fall out." (Score:5, Funny)
That's how open your source should be.
Poor Yahoo (Score:5, Funny)
Re: (Score:1, Insightful)
I think this might go down as the moment where Yahoo? lost their last shred of credibility as a technology company. And it's not this one mistake that signals the end...it's the fact that I'm not that surprised by it. If it were Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about right.
For a long time I've said that Yahoo? needs to forget the fact that they started as a search company. They're still a serious player in online display advertising and they own a lot of properties that ar
Re: (Score:1)
I tend to agree. What'll be key here is how well and how fast they fix & reduce this faux pas. That'll reflect true dev resources, and I'm not sure they have any.
About a decade ago they tried to hire me. Big push to assemble a dream team of web developers, big offers with full perks already long vanished in the post-boom. The top-ordained plan was to hire all of the Names their devs respected, with serious funding and empowerment of their web staff thereafter.
They'd figured out being second-place to Goo
Re: (Score:2)
This was entirely preventable. No pity for cheapos (Score:1)
This is exactly what happens when you hire too few senior level technicians.
Yes, they are more expensive than their entry-level counterparts. But as stories like this one show, they are worth it.
Re: (Score:3, Funny)
Re:Poor Yahoo (Score:4, Insightful)
Nothing like what appears to be a genuine display of pity and compassion on a dying entity being modded up as "Funny". Certainly tells you how much of a laughingstock they are.
Re: (Score:2)
Re: (Score:2)
Yah, no prob. To be honest, no matter how big or small a business is, I always feel dismayed seeing it go down. It means jobs lost, investments sunk, and lives altered. Even worse if the company is just trying to honestly make ends meat and ends up losing out. Obviously it always a risk for those involved, and they are well aware of it, but it doesn't make the process any easier.
Re: (Score:2)
I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.
Maybe they should mob up with Time-Warner; its the only way to be sure.
Dumb question... (Score:1)
Re:Dumb question... (Score:4, Informative)
Cert has been revoked according to above notes.
So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/
Re: (Score:1)
Cert has been revoked according to above notes.
So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/
Thanks (don't know how I missed that originally).
Re: (Score:2)
Thanks (don't know how I missed that originally).
That's what he [wikipedia.org] said.
Re: (Score:2)
At first I was wondering what does PGP (mentioned in TFS/TFA) have to do with certificates? Nothing. The file included was a .pem (PKCS private key). Another question is - wasn't the private key file protected with a passphrase?
LMAO!!! (Score:1)
This is great.
It's the final notice that every person with any competency has at Yahoo has left the building (with the fake CS degrees in tow).
Exuberance (Score:5, Funny)
Did the hacker exclaim "Yahoo!" after he discovered it?
Re: (Score:1)
Maybe, but I'm sure the package maintainer at yahoo! definitely had an 'oh shit!' moment.
Original (Score:1, Informative)
Would it have been SO FUCKING HARD to link to the original, instead to a site that won't even load as I'm writing this?
http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file [appspot.com]
Hi (Score:3, Insightful)
Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.
This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER
Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh
gcc $@
pretty cool huh?
Re: (Score:1)
pretty cool huh?
No... It doesn't even work!
$ cat yahoo_compiler.sh
gcc $@
$ cat hello\ world.c
#include
int main()
{
puts("Hello world\n");
return(0);
}
$ ./yahoo_compiler.sh hello\ world.c
gcc: hello: No such file or directory
gcc: world.c: No such file or directory
gcc: no input files
You might want to use gcc "$@"
Absolutely gibberish article summary (Score:5, Insightful)
Wake up editors:
"Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"
Okay, perfect so far.
"The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."
I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.
"Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.
Here's a new summary:
On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.
Never mind the secondary-source quoting, which is also obnoxious.
Re:Absolutely gibberish article summary (Score:5, Insightful)
I, for one, welcome our new anonymous summary-critiquing overlord
Cringe-worthy summary. (Score:1)
Although I did not RTFA I must comment that the summary was notably terrible in identifying what was compromised:
"That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
How about this:
"The value of this key depends solely on everyone else trusting that only Yahoo knows it."
Re: (Score:2)
Uh, uh. uh... mustn't forget the firing!!!
from hacker to researcher... (Score:2)
Quote mistake: Private vs. public key (Score:1)
"Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
The Yahoo developer will never get it right by reading /. The public key is used by the browser to verify the extension. The private key is used to sign the extension, not to verify it. The private key is to never be shipped with the browser!
Lesson from Crypto 101 class (Score:1)
No mater how you impliment it, someone is going to reverse engineer your app (for fun, or profit) and will discover your darkest of dark secrets. Once they find your key the game is over. There is no going back. Whatever that key is protecting is now open to a hackers delight field day worthy of its own Defcon capture the flag compitition. If you are lucky some nice grey-hat hacker will tell you before you get in too much trouble, if
Game Changer!!! (Score:2)
Amateurs (Score:2)
As long as amateurs are responsible for making "professional" software, security is an illusion. Utterly pathetic, really.
How Chrome extension signing works (Score:4, Informative)
I'm not sure everyone understands exactly what this file is.
When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.
Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.
So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.
This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."
There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.
Re: (Score:1)
You sound like you know what your talking about, but from the TP article: "Yahoo officials said that they are in the process of publishing a new, repaired extension".
I don't think Yahoo would be admitting blame or Google revoking keys in Chrome if the key was not significant.
Re: (Score:1)
To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.
They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.
Chrome keys are used to generate unique IDs for their extensions one key == one ID.
They also blacklist IDs for things like malware.
Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are
Re: (Score:1)
This isn't really a code signing certificate, this is just a Chrome thing.
What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.
These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can
It's called and OpenPGP key. (Score:3)
OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.
OpenPGP is technically a proposed standard although it is widely used.
PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.
GnuPG is an abbreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.
gpg is the name of the binary executable file for GnuPG in Gnu/Linux- and Unix-nased operating systems.
Yahoo sucks (Score:1)