How could Yahoo! leak a private key?

According to the blog of hacker Nik Cubrilovic, the most recent version of Yahoo!'s Axis extension for the Chrome browser actually included the PGP private key that Yahoo! used to digitally sign the software.

Seriously.

So if you're a clever hacker, or even just moderately observant, this gives you everything that you'd need to create your own extensions and then sign them so that look they came from Yahoo!

D'oh!

I'm sure that there's a perfectly good explanation for how this happened, but I'm having a hard time thinking of exactly what that could be.

Cubrilovic's blog has a link to a demonstration of how to exploit this bug, and it's something that you should definitely check out if you have even a casual interest in this sort of thing.

Leave a Reply

Your email address will not be published. Required fields are marked *