Earlier today, Yahoo released their new browser extension for Google Chrome and Firefox and browser for iPhone and iPad after news leaked about it. However, it looks like that they did it in a hurry and made a huge blunder while releasing their Google chrome extension.
As spotted by @nikcub, Yahoo has included their private key with the Chrome extension. This private certificate will allow other users to sign their applications as Yahoo. I was able to confirm that the file was available inside the extension.
Nik further demonstrates the vulnerability of the
leaked mistakenly included private certificate key in a detailed blog post which you can read here. While the extension would not be a problem currently , it would allow other scammers or phishers to pass off rogue extensions as those created by Yahoo or just re-upload the original extension with something rogue.
As a user, you should remove the current extension till Yahoo fixes this problem. To get rid of this problem, Yahoo would need to create a new certificate and sign their extension again and Google would probably have to negate the old certificate while installing extensions.
This is not the first time that such a blunder has happened when news has leaked hours before a release, but this is definitely a very big problem on Yahoo’s part.