back to article Yahoo! leaks! private! key! in! Axis! Chrome! debut!

Yahoo! today released its Axis extension for Chrome – and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software. Australian entrepreneur Nik Cubrilovic, who last year garnered notice for identifying Facebook's tracking cookies, revealed the …


This topic is closed for new posts.
  1. John Lilburne

    Chrome is a piece of malicious ...

    .... software anyway. Keeps wanting to get installed on your system no matter how many times you say NO.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chrome is a piece of malicious ...

      Indeed, especially Chrome versions WITH RLZ tracking.

      Nice trick there Google, washing your hands by offering a RLZ free version from your official site, but dumping the RLZ-laden one on your "partners".

      1. gigitrix

        Re: Chrome is a piece of malicious ...

        <sarcasm>Yes, RLZ is so scary. It totally violates your privacy...</sarcasm>

    2. Anonymous Coward
      Anonymous Coward

      Re: Chrome is a piece of malicious ...

      You can download a non-googlified version of Chrome (Chromium, the underlying browser) but have to go to (cause that's an obvious address).

  2. Mr C

    uh-oh.. bad career move

    i wouldn't want to be standing in the shoes of the developer that forgot to take out that key :P

    1. Benny

      Re: uh-oh.. bad career move

      Or the QA / peer reviewer that missed it...

    2. umacf24

      Re: uh-oh.. bad career move

      I can't imagine why they needed to put the private key in in the first place. The private key should stay with the signer. Is every Yahoo developer given a copy?

  3. Bob Vistakin

    Yahoo! - the comedy gift that just keeps on giving :-)

    I so hope they don't implode totally - their never ending antics are fantastic entertainment!

    1. I think so I am?

      Re: Yahoo! - the comedy gift that just keeps on giving :-)

      Their fall from grace has been both hilarious and kind of disappointing.

      1. Ilgaz

        Re: Yahoo! - the comedy gift that just keeps on giving :-)

        I shouldn't but I still feel sorry for the brand they destroy.

        I never took their search serious, always considered them an internet utility. I just wish the days of inventions like "my Yahoo" (which is still ages ahead), full feature environments in instant messenger, news/ video and really wasted Yahoo finance/ broadband come back.

  4. adam payne

    Coming some the outrageous comedy, Yahoo! The Movie.

  5. An0n C0w4rd

    What's the point of pulling the package that had the private key in it? The private key is probably in the hands of miscreants now. The key needs to be revoked ASAP, and blacklisted in any browser or other software that uses that type of certificate to authenticate plugins and extensions.

    1. Lee Sherwood

      Damage limitation? Blacklisting the key and then changing anything that uses that key to use a new one would take time. Therefore as a temporary measure removing the key would be an attempt at trying to limit the dispersal. Pretty standard thing to do under the circumstances i would think?

      1. An0n C0w4rd

        Damage limitation should be thought of limiting the damage of the already exposed key, not in terms of "should we stop distributing they key" (which should also happen)

        It shouldn't take long to get a new private key signed by a certificate authority. They shouldn't have to do a full QA cycle on any re-released code as all they're doing is changing the signing certificate.

        Is it more work and could take a few hours longer? Probably.

        However, we've already REPEATEDLY seen situations where code signing keys have been used to inject malware without the popup requesting you acknowledge running unsigned code. Virus/trojan writers are likely already preparing their new code with this key as I type.

        This demonstrates another example of the failure of trust chains. All the trust chain says is "CA X trusts that Company Y is who they say they are". but its been abused to say "this code is OK to install as the chain is valid" as the OS has a key from the CA. The entire process needs to be rethought.

  6. Anonymous Coward
    Anonymous Coward

    Is the replacement package signed with the same key?

    1. Mr C
      Thumb Up

      hahaha wouldn't that be a neat trick :D

  7. Ilgaz

    Lovely name (!)

    Call a browser extension "axis" which is associated with nazis and recently terrorists.

    1. Rustybucket

      Re: Lovely name (!)

      So the Earth spins on a Nazi inclined at 23.5 degrees?

      1. Ilgaz

        Re: Lovely name (!)

        I am just telling that axis, especially in certain areas have a bad feeling associated with it.

        Like, you should ask Intel and others why they directly jumped to 667 mhz, not 666 or those super high tech buildings at China and Hong Kong don't have 4th floor or no German company will use number "88" as model/ version.

        Actually, companies like Apple and Microsoft have large word lists consisting of things like that and they are even careful with some weird dll's filename buried in 5 folders deep. Amazon is said to have consulted with sociology experts and Turkish personnel while naming "mechanical Turk" whether it will offend Turks or not.

      2. TeeCee Gold badge

        Re: Lovely name (!)

        Reichsfuhrer Atlas?

This topic is closed for new posts.

Other stories you might like