Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic.
The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. Yahoo is touting the browser’s predictive search capability, which will guess what the user is trying to search for as she is typing and bring up thumbnail images of potential matches.
But that’s not the thing that got the most attention. Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly.
“The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo!. With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!” Cubrilovic wrote in an analysis of the problem.
After realizing the mistake Yahoo had made, Cubrilovic created a cloned, forged extension for Chrome, signed it with the Yahoo key and then installed it on Chrome with no problems. He uploaded the code for the original Axis Chrome extension and his own spoofed one to GitHub.
Yahoo officials said that they are in the process of publishing a new, repaired extension.
“The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension,” Cubrilovic said in his analysis.