Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Yahoo Includes Private Key In Source File For Axis Chrome Extension

timothy posted more than 2 years ago | from the open-source-rocks dept.

Security 85

Trailrunner7 writes "Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic. The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer. ... Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

cancel ×

85 comments

Sorry! There are no comments related to the filter you selected.

Yeah... (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40101469)

...this is the group of clowns I want developing my browser extensions for me. Amiright?

Re:Yeah... (3, Interesting)

Jeremiah Cornelius (137) | more than 2 years ago | (#40101573)

Getting this back? HAH! Put that toothpaste back in the tube, Yahoo!

They also included the letter "A" from Adobe in the source. This is a bitch.

Exhibit A: http://37prime.com/news/wp-content/uploads/2012/05/Yahoo-Axis.jpg [37prime.com]

Exhibit B: http://www.mobilemarketingwatch.com/wordpress/wp-content/uploads/2012/02/Adobe-Shakes-Up-Digital-Publishing-With-Embellished-Platform.png [mobilemarketingwatch.com]

Re:Yeah... (1)

cpu6502 (1960974) | more than 2 years ago | (#40101759)

Not the same A. Close... but the bottom leg is different.

"That little bitty ting. It's not the same." (1)

Anonymous Coward | more than 2 years ago | (#40101837)

Vanilla Ice? Is that you?

http://www.youtube.com/watch?v=1s0hEi8zhmg

Re:Yeah... (5, Funny)

localman57 (1340533) | more than 2 years ago | (#40101741)

...this is the group of clowns I want developing my browser extensions for me. Amiright?

It'll be fine. They all have computer science degrees. They said so on their resumes.

Re:Yeah... (5, Funny)

Beardo the Bearded (321478) | more than 2 years ago | (#40101943)

...this is the group of clowns I want developing my browser extensions for me. Amiright?

Really?

You didn't go with "bunch of yahoos"?

Re:Yeah... (0)

Anonymous Coward | more than 2 years ago | (#40101965)

...this is the group of yahoos I want developing my browser extensions for me. Amiright?

FTFY!

Re:Yeah... (1)

bobcat7677 (561727) | more than 2 years ago | (#40102301)

I hesitate to speculate on what's happening over at Yahoo. But whatever it is, it can't be good, and hasn't been good for a long time. The "new" yahoo mail is shiite. I used to use yahoo bookmarks to keep track of links wherever I might be...they "upgraded" that and now it's dog slow and won't even allow you to view bookmarks if you have more then a certain amount per folder. Completely useless. The Yahoo "toolbar" has caused problems with more computers then I can count. First thing I do when my friends/family bring me their "slow" computer is uninstall that crap. So far not one had said they actually used it. I could go on, but you get the idea. Lots of code, with no quality in sight.

Re:Yeah... (1)

Anonymous Coward | more than 2 years ago | (#40107209)

Nothing interesting has happened at Yahoo since before 2000. Of all the Old Internet firms to survive on inertia, Yahoo is the most significant. I had an old and fairly clueless friend who managed to get a senior admin position there on personal contacts, and they basically did fuck all but ride the wave.

Can it be changed (0)

Billly Gates (198444) | more than 2 years ago | (#40101491)

Without breaking all the ad-ons? This will hurt Chromium browsers too if Google quickly changes the keys as ad-ons will break.

Also what is the change of an ad on installing itself on a drive bye from this? Should I worry about this using Chrome?

Re:Can it be changed (3, Informative)

oakgrove (845019) | more than 2 years ago | (#40101517)

The cert is revoked and Chrome now says "This extension is blacklisted." when you try to install it.

Re:Can it be changed (1)

rrohbeck (944847) | more than 2 years ago | (#40102909)

So that's why there was a Chrome update last night? That was quick.

Re:Can it be changed (2, Informative)

Anonymous Coward | more than 2 years ago | (#40106707)

No, Chrome polls for a list of blacklisted plugins every few hours. It's entirely independent of the browser updates.

Re:Can it be changed (0)

errandum (2014454) | more than 2 years ago | (#40101521)

The key is user-based and not browser based. It is used to identify you as the source of the material.

It won't hurt anyone else other than yahoo.

Re:Can it be changed (0, Troll)

Jawnn (445279) | more than 2 years ago | (#40101585)

Riiight. Think just a little bit longer/harder on that one.

Re:Can it be changed (0)

mwvdlee (775178) | more than 2 years ago | (#40101663)

Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

Re:Can it be changed (5, Funny)

localman57 (1340533) | more than 2 years ago | (#40101843)

Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

Re:Can it be changed (1)

Sulphur (1548251) | more than 2 years ago | (#40102503)

Please explain instead of assuming you are right and we'll all see how right you are if only we were as smart as you.

My cousin was on crank for a while. One time he was tweaking for about 3 days straight. And about halfway through, his sentences sounded just like that.

Is that why they call it crank; because words keep turning up like pedals on a bike?

Re:Can it be changed (0)

Anonymous Coward | more than 2 years ago | (#40101873)

Google public/private encryption. Last I checked Wikipedia was good.

Ive tried to explain it to people in person before, some people get it within a minute or two, some ppl never do. I have no intention of beating my head against the wall trying to explain it to a user on slashdot. Go google it.

Re:Can it be changed (1)

mwvdlee (775178) | more than 2 years ago | (#40101977)

Yes, we all know how keys public/private keys work.
But that doesn't explain how it can hurt anybody except Yahoo now that Google has revoked it.

Re:Can it be changed (2)

idontgno (624372) | more than 2 years ago | (#40102171)

How about, "It hurts users who have loaded extensions signed with Yahoo's private key, who now have to unload those extensions and find updated versions signed with Yahoo's new private key."

Fer instance.

BTW, "hurt" is the drama-queen way to express the impact. "Inconvenience" is more accurate. Both for Yahoo, and users who have trusted Yahoo's old signatures, as long as the revocation is effective and quick enough to prevent Yahoo-signed malware from getting a foothold.

If that happens, the impact to users escalates beyond "inconvenience" to "big inconvenience" or "real hurt", depending on what gets compromised. "Big inconvenience" == your machine becomes part of a botnet. "Real hurt" becomes a keylogger that transmit your banking or other personal information to an online crim who strips your bank accounts and begins to use your identity fraudulently.

Re:Can it be changed (0)

Anonymous Coward | more than 2 years ago | (#40101849)

He means user as in extension developer. I'm not sure why you got modded insightful.

Re:Can it be changed (4, Informative)

GerbilSoft (761537) | more than 2 years ago | (#40101541)

It's Yahoo's private key that was leaked, not Google's. Assuming Chrome's certificate system is reasonably decent, Yahoo should be able to publish a CRL to revoke that certificate and/or key, and then generate a new one.

Re:Can it be changed (1)

X0563511 (793323) | more than 2 years ago | (#40103633)

Supposedly this is already done. ... at least on Google's end. I don't chrome, so I have no idea if this is a manual blacklisting or a CRL.

Re:Can it be changed (1)

Anonymous Coward | more than 2 years ago | (#40101571)

The only thing that got leaked was Yahoo's private key, i.e. what is used to prove that the extension is made by Yahoo. So as long as you don't install any extensions that claim that they are made by Yahoo, you should be fine.

Drive-by downloads/installation would be a separate issue with browser security. I have no clue if there are any exploits in the wild that allow this. (I would think that most of these would be malware installed on your computer that modified your Chrome installation as opposed to "visit a website, extension installed automatically").

Re:Can it be changed (0)

Anonymous Coward | more than 2 years ago | (#40105351)

The only thing that got leaked was Yahoo's private key, i.e. what is used to prove that the extension is made by Yahoo. So as long as you don't install any extensions that claim that they are made by Yahoo, you should be fine.

Drive-by downloads/installation would be a separate issue with browser security. I have no clue if there are any exploits in the wild that allow this. (I would think that most of these would be malware installed on your computer that modified your Chrome installation as opposed to "visit a website, extension installed automatically").

Actually, the way the certificates work with Chrome is that each extension has its own pub/priv key pair, not each publisher. The exposure of this key would allow faked updates to the Axis extension, but not spoofing Yahoo has the publisher of a different extension.

Re:Can it be changed (1)

The MAZZTer (911996) | more than 2 years ago | (#40101579)

Key signing is only a concern if you install addons from sources other than the Chrome Web Store. If you upload an app to the Chrome Web Store Google takes care of the key signing for you (you upload in a simple ZIP file and Google generates the signed CRX file for you).

I THINK the purpose key signing is to ensure that updates to an extension are signed with the same key, but I'm not sure. Users are normally never notified about anything concerning the key used to sign any extension. At any rate whenever you install a new extension OR an update to an extension asks for new security permissions there's always a prompt you must agree to.

So it's probably safe enough to NEVER install Axis until Yahoo releases a version that's signed with a new key. I think other extensions should be unaffected.

Re:Can it be changed (5, Insightful)

mcgrew (92797) | more than 2 years ago | (#40101643)

Should I worry about this using Chrome?

No, but you should worrry about using the Axix extension. If they're going to make a mistake that incredibly stupid, you'd be a fool to use it. What other gaping holes did they leave open?

Re:Can it be changed (4, Funny)

localman57 (1340533) | more than 2 years ago | (#40101983)

What other gaping holes did they leave open?

Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

Re:Can it be changed (1)

Billly Gates (198444) | more than 2 years ago | (#40104117)

What other gaping holes did they leave open?

Everyone is advised to be very, very careful what links they click on from this parent post. You guys know what I'm talking about....

What like this one? [clownsong.com]

Re:Can it be changed (0)

Anonymous Coward | more than 2 years ago | (#40102979)

What other gaping holes did they leave open?

That's nothing, you should install the Goatse extension.

Not a mistake (0)

Anonymous Coward | more than 2 years ago | (#40101493)

Think about all the free PR from all those signed extensions!

"...but not so open that your brains fall out." (5, Funny)

jeffb (2.718) (1189693) | more than 2 years ago | (#40101519)

That's how open your source should be.

Re: (0)

Anonymous Coward | more than 2 years ago | (#40101669)

This proves yahoo zombies eat braaaaaaiiiiiiiiinnnnssss

Poor Yahoo (4, Funny)

alphax45 (675119) | more than 2 years ago | (#40101535)

I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

Re:Poor Yahoo (1, Insightful)

Anonymous Coward | more than 2 years ago | (#40101605)

I think this might go down as the moment where Yahoo? lost their last shred of credibility as a technology company. And it's not this one mistake that signals the end...it's the fact that I'm not that surprised by it. If it were Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about right.

For a long time I've said that Yahoo? needs to forget the fact that they started as a search company. They're still a serious player in online display advertising and they own a lot of properties that are disproportionately valuable in terms of CPM. They should stop trying to come up with new doohickies and focus on what they do best - selling targeted advertising to major advertisers.

It's a shame that they didn't hit the goldmine like google or fb did, but there's no point in letting the past get in the way of the opportunities of the moment. Yahoo could still be one hell of an ad network.

Re:Poor Yahoo (1)

Anonymous Coward | more than 2 years ago | (#40102197)

I tend to agree. What'll be key here is how well and how fast they fix & reduce this faux pas. That'll reflect true dev resources, and I'm not sure they have any.

About a decade ago they tried to hire me. Big push to assemble a dream team of web developers, big offers with full perks already long vanished in the post-boom. The top-ordained plan was to hire all of the Names their devs respected, with serious funding and empowerment of their web staff thereafter.

They'd figured out being second-place to Google wasn't a long-term survival plan, and that they'd have to scrap hard with Google for the first place in web development just to survive.

Sounded like a good plan. Nothing ever came of it. They didn't get me, or any of the people I knew, and from the outside it didn't look like they did anything to empower their existing teams.

There's just something culturally wrong with the place. Which, yeah is a shame because they're sitting on quite a pile of resources. That's quite a base for a company that really wants to use web development as their cutting edge. It'd be interesting to watch.

Re:Poor Yahoo (1)

alphax45 (675119) | more than 2 years ago | (#40103107)

Agree with you both and nice insight into why they might be in this mess.

This was entirely preventable. No pity for cheapos (1)

Anonymous Coward | more than 2 years ago | (#40101809)

This is exactly what happens when you hire too few senior level technicians.

Yes, they are more expensive than their entry-level counterparts. But as stories like this one show, they are worth it.

Re:This was entirely preventable. No pity for chea (3, Funny)

Anonymous Coward | more than 2 years ago | (#40101857)

Maybe they have a habit of hiring expensive people who claimed they were senior level in their resume?

Re:Poor Yahoo (3, Insightful)

virgnarus (1949790) | more than 2 years ago | (#40102247)

Nothing like what appears to be a genuine display of pity and compassion on a dying entity being modded up as "Funny". Certainly tells you how much of a laughingstock they are.

Re:Poor Yahoo (1)

alphax45 (675119) | more than 2 years ago | (#40103089)

Thank you for seeing that I was trying to be genuine.

Re:Poor Yahoo (1)

virgnarus (1949790) | more than 2 years ago | (#40104019)

Yah, no prob. To be honest, no matter how big or small a business is, I always feel dismayed seeing it go down. It means jobs lost, investments sunk, and lives altered. Even worse if the company is just trying to honestly make ends meat and ends up losing out. Obviously it always a risk for those involved, and they are well aware of it, but it doesn't make the process any easier.

Re:Poor Yahoo (0)

Anonymous Coward | more than 2 years ago | (#40102497)

They should never have dropped their search engine...

Re:Poor Yahoo (1)

Sulphur (1548251) | more than 2 years ago | (#40102539)

I almost feel bad for them at this point. They are trying but can't seem to do anything to help themselves.

Maybe they should mob up with Time-Warner; its the only way to be sure.

Dumb question... (1)

Reasonable Facsimile (2478544) | more than 2 years ago | (#40101561)

Will the exploit still work/exist after Yahoo releases a fix?

Re:Dumb question... (3, Informative)

MickyTheIdiot (1032226) | more than 2 years ago | (#40101599)

Cert has been revoked according to above notes.

So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

Re:Dumb question... (1)

Reasonable Facsimile (2478544) | more than 2 years ago | (#40101647)

Cert has been revoked according to above notes.

So, no, it already doesn't work. It just shows someone truly had a bad day at Yahoo yesterday (and probably before that as well)/

Thanks (don't know how I missed that originally).

Re:Dumb question... (1)

Hotawa Hawk-eye (976755) | more than 2 years ago | (#40102349)

Thanks (don't know how I missed that originally).

That's what he [wikipedia.org] said.

Re:Dumb question... (1)

rastos1 (601318) | more than 2 years ago | (#40103129)

Cert has been revoked ...

At first I was wondering what does PGP (mentioned in TFS/TFA) have to do with certificates? Nothing. The file included was a .pem (PKCS private key). Another question is - wasn't the private key file protected with a passphrase?

Oops (0)

Anonymous Coward | more than 2 years ago | (#40101563)

Oops

LMAO!!! (0)

MickyTheIdiot (1032226) | more than 2 years ago | (#40101567)

This is great.

It's the final notice that every person with any competency has at Yahoo has left the building (with the fake CS degrees in tow).

Exuberance (5, Funny)

virgnarus (1949790) | more than 2 years ago | (#40101595)

Did the hacker exclaim "Yahoo!" after he discovered it?

Re:Exuberance (0)

Anonymous Coward | more than 2 years ago | (#40101973)

http://www.youtube.com/watch?v=KJHN3XnnlBk&t=31s

Re:Exuberance (1)

ch-chuck (9622) | more than 2 years ago | (#40102701)

Maybe, but I'm sure the package maintainer at yahoo! definitely had an 'oh shit!' moment.

Hi (3, Insightful)

Anonymous Coward | more than 2 years ago | (#40101727)

Once again, THIS IS A BROWSER EXTENSION ON THE DESKTOP, and a FRONT END FOR MOBILE SAFARI.

This is not a browser. This is NOT a BROWSER. FOR FUCK SAKES THIS IS NOT A BROWSER

Hey, check out this brand new compiler I wrote! It's called yahoo_compiler.sh

    gcc $@

pretty cool huh?

Re:Hi (1)

Anonymous Coward | more than 2 years ago | (#40102127)

pretty cool huh?

No... It doesn't even work!

$ cat yahoo_compiler.sh
gcc $@

$ cat hello\ world.c
#include
int main()
{
puts("Hello world\n");
return(0);
}

$ ./yahoo_compiler.sh hello\ world.c
gcc: hello: No such file or directory
gcc: world.c: No such file or directory
gcc: no input files

You might want to use gcc "$@"

Re:Hi (0)

Anonymous Coward | more than 2 years ago | (#40103953)

So your saying that the yahoo_compiler was actually written by Yahoo?

Re:Hi (0)

Anonymous Coward | more than 2 years ago | (#40108019)

That should really be: gcc "$@"

Absolutely gibberish article summary (5, Insightful)

Anonymous Coward | more than 2 years ago | (#40101825)

Wake up editors:

"Yahoo on Wednesday launched a new browser called Axis and researchers immediately discovered that the company had mistakenly included its private signing key in the source file, a serious error that would allow an attacker to create a malicious, signed extension for a browser that the browser will then treat as authentic"

Okay, perfect so far.

"The mistake was discovered on Wednesday, soon after Yahoo had launched Axis, which is both a standalone browser for mobile devices as well as an extension for Firefox, Chrome, Safari and Internet Explorer."

I already knew the mistake was discovered on Wednesday, soon after Yahoo had launched Axis. This sentence does have some new information though.

"Within hours of the Axis launch, a writer and hacker named Nik Cubrilovic had noticed that the source file for the Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

Yes, I know something happened within hours of the Axis launch. You already told me twice. You also already told me why it's bad that the key was available publicly.

Here's a new summary:
On Wednesday, Yahoo! launched a web browser called Axis, which is both a standalone browser for mobile devices and an extension for popular desktop browsers. Shortly after launch, a writer and hacker named Nik Cubrilovic noticed that the Chrome version of the extension mistakenly included the private PGP key that Yahoo used to sign the file. This file could be used to generate a malicious spoof version of the extension.

Never mind the secondary-source quoting, which is also obnoxious.

Re:Absolutely gibberish article summary (5, Insightful)

BattleApple (956701) | more than 2 years ago | (#40102085)

I, for one, welcome our new anonymous summary-critiquing overlord

Re:Absolutely gibberish article summary (0)

Anonymous Coward | more than 2 years ago | (#40106067)

Yours is better. But any newsroom editor will tell you they'll take a good reporter/mediocre writer over a mediocre reporter/good writer.

Substitute "article poster" for "reporter" and "Slashdot" for "newsroom", and there you go. Sometimes the rush to get the scoop takes its toll on the quality of the copy.

Removing Yahoo Axis (0)

Anonymous Coward | more than 2 years ago | (#40101839)

Axis is horrible. I installed on Mac/Safari last night, and CANNOT remove it. There's no help/support/FAQ from Yahoo at all. I followed the steps from Apple to remove "Unsupported third-party add-ons" (here: http://support.apple.com/kb/TS3230?viewlocale=en_US&locale=en_US ) ... but since there's no HOT GARBAGE folder, I cannot locate where Axis is stored. (honestly though, I really cannot locate it, and I'm working on conditional CSS tweaks and that Yahoo turd is in my way.

Searching for "Delete Yahoo Axis" doesn't have any results yet because we're early adopters. Here— I'll bring folks here with a dash of link-sauce, assuming someone will come-up with a solution... "Deleting Yahoo Axis" "Removing Yahoo Axis" "Uninstalling Yahoo Axis"

Cringe-worthy summary. (1)

leftover (210560) | more than 2 years ago | (#40101955)

Although I did not RTFA I must comment that the summary was notably terrible in identifying what was compromised:
"That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

How about this:
"The value of this key depends solely on everyone else trusting that only Yahoo knows it."

Get your Senior Dev résumés to Yahoo (0)

Anonymous Coward | more than 2 years ago | (#40102389)

Hi:

I hear they're hiring.

Re:Get your Senior Dev résumés to Yahoo (1)

Genda (560240) | more than 2 years ago | (#40105213)

Uh, uh. uh... mustn't forget the firing!!!

from hacker to researcher... (1)

kj_kabaje (1241696) | more than 2 years ago | (#40102431)

ah... how times change. Or is it now white-hat is a researcher and black-hat is a hacker?

Quote mistake: Private vs. public key (1)

Anonymous Coward | more than 2 years ago | (#40102451)

"Axis Chrome extension included the private PGP key that Yahoo used to sign the file. That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."

The Yahoo developer will never get it right by reading /. The public key is used by the browser to verify the extension. The private key is used to sign the extension, not to verify it. The private key is to never be shipped with the browser!

Re:Quote mistake: Private vs. public key (0)

Anonymous Coward | more than 2 years ago | (#40103751)

Interestingly, if you intend to develop an open source Chrome extension that exposes a public API, you'll find that you have to distribute the private key, because if people downstream use their own keys, the extension will get a different ID and it won't receive the messages intended for its API.

Lesson from Crypto 101 class (0)

hAckz0r (989977) | more than 2 years ago | (#40103021)

Never embed a private key in your application, ever. Did I mention never?

No mater how you impliment it, someone is going to reverse engineer your app (for fun, or profit) and will discover your darkest of dark secrets. Once they find your key the game is over. There is no going back. Whatever that key is protecting is now open to a hackers delight field day worthy of its own Defcon capture the flag compitition. If you are lucky some nice grey-hat hacker will tell you before you get in too much trouble, if not, you are going to have one very bad day (or days) at the office. There are better ways to handle keys, don't act like a yahoo and take the time to learn how to do it right.

Guess Yahoo fired (err let-go) 'expert' for... (0)

Anonymous Coward | more than 2 years ago | (#40103491)

Guess Yahoo fired (err let-go) their in house experts for how public keys and private keys work. (bunch of dumb-asses). //gh

Game Changer!!! (1)

tunapez (1161697) | more than 2 years ago | (#40103659)

My initial reservations to allowing these yahoos handle my browsing experience have been quashed. Only a luser wouldn't trust these 'professionals' with his\her datas.

Amateurs (1)

gweihir (88907) | more than 2 years ago | (#40103919)

As long as amateurs are responsible for making "professional" software, security is an illusion. Utterly pathetic, really.

How Chrome extension signing works (4, Informative)

pspmikek (195542) | more than 2 years ago | (#40104313)

I'm not sure everyone understands exactly what this file is.

When you create a Chrome extension, if you are not going to submit the Chrome extension to the store, you ask Chrome to package the extension. In this process, Chrome generates a private key. This key has nothing to do with identifying you as the author. It is only used so that you when you update the extension, you can package and sign it using the same key. Everyone has to keep a local copy of this key, because if you lose it, you can never update your extension. It appears Yahoo kept it in their build directory and accidentally packaged it.

Having this private key allows you to build a Chrome extension that when installed overlays the existing Yahoo extension. This is because the private key is how Chrome uniquely identifies an extension.

So yes, this was a dumb mistake. It would allow someone to create an add-on that when installed would overwrite the Yahoo Axis extension. To do this, you would need to create the extension and then convince someone to install it. But if you can convince someone to install it, you can convince them to install any Chrome extension.

This was not giving away "Yahoo's private key," it was giving away "the private key that Chrome generated to allow Yahoo to sign their extension."

There is the remote possibility that Yahoo used a real private key to sign their Chrome extension and not one generated by Chrome. If that's the case, everyone involved in the project should be fired.

Re:How Chrome extension signing works (1)

PuZZleDucK (2478702) | more than 2 years ago | (#40106965)

You sound like you know what your talking about, but from the TP article: "Yahoo officials said that they are in the process of publishing a new, repaired extension".

I don't think Yahoo would be admitting blame or Google revoking keys in Chrome if the key was not significant.

Re:How Chrome extension signing works (0)

Anonymous Coward | more than 2 years ago | (#40107415)

They would and they should. Leaking the private key for an extension means that anyone can update that extension with some random malware, for anyone who happens to have the old version of the extension installed. It doesn't compromise anything else, but that's bad enough.

Yahoo will need to publish a new version of the extension using a new private key, but the old compromised one still needs to be disabled by revoking its key. Since the updated version is, by definition, a new extension and not an update to an old one, Yahoo pretty much have to admit what happened to explain why they can't use the regular update method.

Re:How Chrome extension signing works (1)

pspmikek (195542) | more than 2 years ago | (#40108539)

To add to what Anonymous posted below, what Google has essentially done is blacklisted the ID associated with that key.

They want to be proactive and make sure noone else uses that key because any time a Chrome extension signed with that key is installed, it would always overwrite Yahoo Axis.

Chrome keys are used to generate unique IDs for their extensions one key == one ID.

They also blacklist IDs for things like malware.

Blacklisting extensions is done by Mozilla as well based on IDs, only the Firefox IDs are generated by the developer of the add-on.

Re:How Chrome extension signing works (0)

Anonymous Coward | more than 2 years ago | (#40107387)

Should you even have it in your build?

You dont have some sort of security officer that signs the release candidate on a machine used for the signing that no-one else has access to?

I am not in the security field but I have watched a few intrigue movies.

Re:How Chrome extension signing works (1)

pspmikek (195542) | more than 2 years ago | (#40108577)

This isn't really a code signing certificate, this is just a Chrome thing.

What you're referring to is a certificate that a company pays hundreds or thousands of dollars for and gets from a company like Verisign (are they still in business?). This certificate needs to be treated with utmost care because anyone that gets it can sign an executable or other application saying that it came from a specific company.

These certificates should NOT be used to sign Chrome extensions, because in the Chrome world you can only sign one extension for each certificate because the unique ID is based on a hash of the certificate.

Firefox supports using these certificates to sign add-ons. That's why sometimes when you install Firefox add-ons, you see a company name in the install dialog.

Dropping Axis faster than a Neo Zeon Terrorist... (0)

Anonymous Coward | more than 2 years ago | (#40105187)

Too bad it doesn't default to a red color scheme, so I can drop it 3x faster. Especially since it's dog slow of Firefox...

It's called and OpenPGP key. (2)

MagicFab (7234) | more than 2 years ago | (#40106221)

OpenPGP, PGP and GnuPG / GPG are often used interchangeably - a common mistake.

OpenPGP is technically a proposed standard although it is widely used.

PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication.

GnuPG is an abbreviation for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication.

gpg is the name of the binary executable file for GnuPG in Gnu/Linux- and Unix-nased operating systems.

Re:It's called and OpenPGP key. (0)

Anonymous Coward | more than 2 years ago | (#40107403)

Funny that you were so pedantic about it, but didn't notice it's not a PGP key at all, but a PEM ASN.1 encoded RSA key.

Allied browser? (0)

Anonymous Coward | more than 2 years ago | (#40107041)

> Yahoo on Wednesday launched a new browser called Axis

Where is the Allies browser when you need it?

Yahoo sucks (1)

akubot (1285646) | more than 2 years ago | (#40111053)

One more piece of evidence that explains Yahoo's long, slow decline as a software enterprise.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>