Just hours after unveiling its pseudo-Web browser "Axis," which serves as a visual search tool on desktop and mobile devices, Yahoo was forced to disable the Chrome version on the desktop due to security concerns. Turns out the company accidentally leaked the private security key used to sign the extension, which could allow anyone to create malicious plugins masquerading as official Yahoo! software.
Australian security blogger Nik Cubrilovic, who last year garnered notice for identifying Facebook's tracking cookies, first exposed the certificate blunder on his blog and advised users not to install the extension “until the issue is clarified”. Cubrilovic explained that by inadvertently making this key public, people could use it sign malicious software and trick Google into thinking it was legitimate:
“The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed on a victim's machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.”
Yahoo has since released an updated version of the extension that removes the private key. The company also blacklisted the exposed certificate key with Google so that anyone who had already installed the Chrome extension for Axis won’t be vulnerable to such attacks in the future.
All in all the company was quick to react and address security concerns, but the fumbled launch certainly isn’t helping the struggling firm look particularly good after the resume-padding drama that forced then CEO Scott Thompson to resign, and insider trading charges involving a former Yahoo executive.