Wow. Yahoo has truly outdone itself this time — Security 101 has been tossed aside.
Hot on the heels on the company's launch of its Axis iOS browser and desktop plug-in, Australian-born internet scallywag Nik Cubrilovic took to the Chrome extension, and noticed that Yahoo had packaged its private key into the crx package.
Cubrilovic wrote in a blog post that the implications of being able to forge a package with the Yahoo key would be the ability to capture all web traffic, including passwords and session cookies. To get the spoof package installed, he said that a DNS hack on the package's update URL would allow for the forged package to silently update and replace the Axis plug-in.
A commenter purporting to be Ethan Batraski, Yahoo director of product management, said that Yahoo has disabled the Chrome extension, and blacklisted the key with Google.
The obvious moral to this story is that as far as security is concerned, making public one's private key is not recommended.
Earlier this week, music-streaming service Spotify launched in Australia.
The Australian site simply runs out of a sub-directory off the main site, presented with an invalid certificate error.
Spotify fixed the redirect issue on the home page quickly after launch on Tuesday, but you can still force the issue by visiting links like this.
It just proves that once again, even in internet darlings of past and present, mistakes can and will happen.
Some would say that it is a long way from software engineering to journalism, others would correctly argue that it is a mere 10 metres according to the floor plan.During his first five years with CBS Interactive, Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining the company as a programmer.Leaving CBS Interactive in 2010 to follow his deep desire to study the snowdrifts and culinary delights of Canada, Chris based himself in Vancouver and paid for his new snowboarding and poutine cravings as a programmer for a lifestyle gaming startup.Chris returns to CBS in 2011 as the Editor of TechRepublic Australia determined to meld together his programming and journalistic tendencies once and for all.In his free time, Chris is often seen yelling at different operating systems for their own unique failures, avoiding the dreaded tech support calls from relatives, and conducting extensive studies of internets — he claims he once read an entire one.