Yahoo accidentally leaked the private key that was used to digitally sign its new Axis extension for Google Chrome.
The company released Axis, which is a plug-in for HTML5 enabled web browsers such as Internet Explorer, Firefox, Chrome and Safari as well as the Iphone and Ipad that is intended to speed up internet searches.
However, while looking at the source code for the Google Chrome Axis extension, hacker and security blogger Nik Cubrilovic discovered a serious security flaw — the package included the private cryptographic key used by Yahoo to sign the extension.
“With access to the private certificate file [private key] a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo,” Nik Cubrilovic said.
Since private keys allow developers to digitally sign new extensions or update their old ones, they should always be kept secret.
An attacker can push a Yahoo-signed malicious extension to a browser that has the Axis extension installed, by using techniques like DNS spoofing, Cubrilovic said.
Yahoo confirmed the security issue. “We worked quickly to resolve the issue and have issued a new Chrome plug-in,” a Yahoo spokeswoman said via email. “Users who downloaded Yahoo! Axis on Chrome between the hours of 6-9 p.m. Pacific Time on May 23, 2012, are encouraged to uninstall the previous version and reinstall the new version at axis.yahoo.com.”