Yahoo Includes Certificate Private Key Inside Chrome Extension for Axis
By on May 24th, 2012

Earlier today, Yahoo released their new browser extension for and and browser for and after news leaked about it. However, it looks like that they did it in a hurry and made a huge blunder while releasing their .

Yahoo Axis Certificate Private Key

As spotted by @nikcub,  Yahoo has included their private key with the Chrome extension. This private certificate will allow other users to sign their applications as Yahoo. I was able to confirm that the file was available inside the extension.

Nik further demonstrates the vulnerability of the leaked mistakenly included private certificate key in a detailed blog post which you can read here. While the extension would not be a problem currently , it would allow other scammers or phishers to pass off rogue extensions as those created by Yahoo or just re-upload the original extension with something rogue.

As a user, you should remove the current extension till Yahoo fixes this problem. To get rid of this problem, Yahoo would need to create a new certificate and sign their extension again and Google would probably have to negate the old certificate while installing extensions.

This is not the first time that such a blunder has happened when news has leaked hours before a release, but this is definitely a very big problem on Yahoo’s part.

Tags: , , ,
Author: Keith Dsouza Google Profile for Keith Dsouza
I am the editor-in-chief and owner of Techie Buzz. I love coding and have contributed to several open source projects in the past. You can know more about me and my projects by visiting my Personal Website. I am also a social networking enthusiast and can be found active on twitter, you can follow Keith on twitter @keithdsouza. You can click on my name to visit my Google+ profile.

Keith Dsouza has written and can be contacted at keith@techie-buzz.com.
 
Copyright 2006-2012 Techie Buzz. All Rights Reserved. Our content may not be reproduced on other websites. Content Delivery by MaxCDN