Wow. Yahoo has truly outdone itself this time — Security 101 has been tossed aside.
Hot on the heels on the company’s launch of its Axis iOS browser and desktop plug-in, Australian-born internet scallywag Nik Cubrilovic took to the Chrome extension, and noticed that Yahoo had packaged its private key into the crx package.
Yes, folks, that is Yahoo’s private key.
(Screenshot by Nik Cubrilovic)
Cubrilovic then went ahead and created the yahoo-spoof package that triggers a JavaScript alert on every page that the user visits.
Yahoo spoof showing its alert box.
(Screenshot by Chris Duckett/TechRepublic)
Cubrilovic wrote in a blog post that the implications of being able to forge a package with the Yahoo key would be the ability to capture all web traffic, including passwords and session cookies. To get the spoof package installed, he said that a DNS hack on the package’s update URL would allow for the forged package to silently update and replace the Axis plug-in.
A commenter purporting to be Ethan Batraski, Yahoo director of product management, said that Yahoo has disabled the Chrome extension, and blacklisted the key with Google.
The obvious moral to this story is that as far as security is concerned, making public one’s private key is not recommended.
Earlier this week, music-streaming service Spotify launched in Australia.
The Australian site simply runs out of a sub-directory off the main site, presented with an invalid certificate error.
Spotify fixed the redirect issue on the home page quickly after launch on Tuesday, but you can still force the issue by visiting links like this.
It just proves that once again, even in internet darlings of past and present, mistakes can and will happen.
