Yahoo leaks private key, allows anyone to build Yahoo-signed Chrome extensions

Yahoo accidentally leaked the private key that was used to digitally sign its new Axis extension for Google Chrome

Yahoo was forced to release a new version of its Axis extension for Google Chrome after the original one contained a private key that allowed anyone to digitally sign extensions in Yahoo's name.

Axis is a new search and browsing tool from Yahoo that was released on Wednesday. It is available for desktop computers, as an extension for Google Chrome, Mozilla Firefox, Internet Explorer and Safari, as well as for iOS devices, as a stand-alone app.

However, while looking at the source code for the Google Chrome Axis extension, hacker and security blogger Nik Cubrilovic discovered a serious security flaw -- the package included the private cryptographic key used by Yahoo to sign the extension.

"With access to the private certificate file [private key] a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo," Nik Cubrilovic said in a blog post on Thursday.

Google Chrome extensions come packed as CRX files, which are essentially digitally signed ZIP-format archives.

Every CRX file contains a public key that's part of a private-public key pair unique to its creator. The private key is used to sign the extension, while the public key is used by the browser to verify the signature's authenticity.

Since private keys allow developers to digitally sign new extensions or update their old ones, they should always be kept secret.

In order to prove the implications of the private key leak, Cubrilovic created a proof-of-concept Chrome extension that displays an alert on every visited website and signed it with Yahoo's private key.

An attacker can push a Yahoo-signed malicious extension to a browser that has the Axis extension installed, by using techniques like DNS spoofing, Cubrilovic said.

Google Chrome automatically checks for extension updates by querying update URLs specified by developers. If attackers can forge the DNS (domain name system) responses received by the browser, they can force it to install a rogue digitally signed extension update from a server under their control.

Yahoo confirmed the security issue. "We worked quickly to resolve the issue and have issued a new Chrome plug-in," a Yahoo spokeswoman said via email. "Users who downloaded Yahoo! Axis on Chrome between the hours of 6-9 p.m. Pacific Time on May 23, 2012, are encouraged to uninstall the previous version and reinstall the new version at axis.yahoo.com."

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?