

Yahoo Axis Chrome Extension Leaks Private Certificate File - nikcub
http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file

======
hooande
I think this might go down as the moment where Yahoo? lost their last shred of
credibility as a technology company. And it's not this one mistake that
signals the end...it's the fact that I'm not that surprised by it. If it were
Google or even Facebook I would be shocked. But Yahoo? Yeah, sounds about
right.

For a long time I've said that Yahoo? needs to forget the fact that they
started as a search company. They're still a serious player in online display
advertising and they own a lot of properties that are disproportionately
valuable in terms of CPM. They should stop trying to come up with new
doohickies and focus on what they do best - selling targeted advertising to
major advertisers.

It's a shame that they didn't hit the goldmine like google or fb did, but
there's no point in letting the past get in the way of the opportunities of
the moment. Yahoo could still be one hell of an ad network.

~~~
spoiledtechie
I have to agree with you. They have lost all cred as a tech company and have
been circling the toilet for a while.

Sadly, I think this has a lot to do with management and very little to do with
engineers. I personally feel they are just sitting comfortable trying to
squeeze every dollar out of the company.

------
dws
Yahoo! released Axis (with this very dumb mistake) at 5pm PST, and by 9pm PST
their public key is posted, with a "I report this but have yet to hear back"
note. How, exactly, is this responsible disclosure?

~~~
nikcub
I always, always, always go the route of contacting vendors - over the past 15
years I have reported hundreds of security and privacy vulnerabilities. This
is the first time where I haven't reported to the vendor first before
disclosing.

The way this came about was a bit different, because it started with a
tweet[1] where I pointed out that the file was there, and then it gradually
developed into realizing that it is a pretty big deal. The discovery happen
out in the open. If you look at my timeline and the replies and conversations
you will see how it came about.

With hindsight I could have handled it differently, but it just happen to come
out in this way. I added an update to the end of the post addressing
disclosure. The goal at the moment is to make users aware that there is
potentially a big issue here.

[1] <https://twitter.com/nikcub/status/205489752684765185>

~~~
tptacek
There was zero (0) chance this wasn't going to get found 100 times
independently whether or not you publicized it. Getting it out quick and
loudly was absolutely the right move. You have nothing at all to apologize
for.

~~~
nikcub
thanks. and you are right, at least two other people found the same thing,
then searched twitter and found my post about it. one of them was @rasmus the
creator of PHP (pretty funny timeline of him discovering and then finding on
twitter).

------
drgath
I'm a Yahoo. Reviewing the ticket now and things are being taken care of.

~~~
ktizo
Cue sound of black helicopters being dispatched to visit nikcub.

(only kidding, for one thing Yahoo's black helicopters don't make any sound)

~~~
damncabbage
Doesn't help that the pilots were laid off last month.

(Edit: Hey now, downvoters; I'm an ex-Yahoo! layoff target. What else do I
need to do before I can crack jokes like this? :D )

~~~
res0nat0r
Needs more /r/technology

~~~
res0nat0r
Sadly being downvoted...for not being Reddit worthy on HN. How ironic.

------
jmathai
The most surprising part of this is that there's an established security audit
process for any product before it gets launched to the public. Somehow this
made it though.

From my experience having worked at Yahoo! I'm a bit shocked as the process
has always seemed pretty good.

~~~
debacle
The best process in the world can't make up for people.

~~~
jmathai
Apparently so.

------
DavidSJ
Don't trust credentials from Yahoo, whether cryptographic or educational.

------
Flenser
_I installed the Chrome extension (direct link to original Chrome extension,
probably not a good idea to install it) with the idea of checking out the
source code._

You don't need to install chrome extensions to look at their source, you can
use this extension to view it before installing:

[https://chrome.google.com/webstore/detail/bbamfloeabgknfklmg...](https://chrome.google.com/webstore/detail/bbamfloeabgknfklmgbpjcgofcokhpia)

(ok, you have to install that extension before you can look at it's source :)

------
kevinpet
This is not a security flaw in Axis, this is a leaked trusted key that could
be used to sign any extension (or possibly any other type of signed code). Any
code purporting to come from Yahoo is unsafe, probably until Chrome is
updated.

~~~
ajross
Surely Chrome implements a cert revocation mechanism; the idea of using a cert
to establish identity really doesn't work without it (for precisely this
reason). Anyone have details?

~~~
kevinpet
I wasn't sure it if it was reliable. I remember during the last "ca leaks root
cert" fiasco there was talk about how browsers don't implement this securely.

~~~
ajross
Right, but that's different. That was a _root_ certificate that was
compromised: something you can use to make new certs. The basic certs
themselves can be revoked, and are fairly routinely.

There is always a root of trust in a cert scheme (vs. a web scheme, say, which
has no single point of failure but a squishier notion of validity). The reason
it got caught is that Chrome implemented an independent "pinning" feature for
Google's own domains (basically an independent root of trust) and caught the
fraudulent certs.

------
spleeyah
Chrome now says "This extension is blacklisted." when you try to install it.

~~~
rplnt
They probably revoked the cert.

------
est
The browser is the new toolbar. In case you haven't seen it, IE7Pro added some
major features to IE. Some toolbars even added `data:` schema support to IE.

Want to see the cool Moog doodle? Download the latest HTML5™ toolbar today!
Want to use premium Yahoo features? Download the Axis toolbar!

~~~
jrockway
Out of protest, I downgraded to NCSA Mosaic and tied an onion to my belt,
which was the style at the time. Not many web pages loaded correctly, but the
important thing was that I had an onion on my belt, which was the style at the
time.

~~~
codezero
I managed to get Mosaic to compile on OS X, interestingly enough some pages do
still load and look OK. One was Dennis Ritchie's page: <http://cm.bell-
labs.com/who/dmr/>

It's a entertaining experience.

~~~
damncabbage
Mind posting the instructions / gotchas? :)

~~~
rogerbinns
Someone has made a site that emulates the old browsers, which is almost as
much fun: <http://www.dejavu.org/emulator.htm>

------
sneak
Where is the signature from this key used? I don't see any signatures or
certificates in the crx archive (just the key), and I'm curious as to the
trust path here - or is this an internal-to-Google's-extension-site key?

~~~
SoftwareMaven
The signature it generates is used by Chrome to determine whether an upgraded
extension really came from the same source. With this leaked, anybody could
conceivably put up an upgraded, evil version of Axis and Chrome would happily
upgrade it behind the scenes. I say conceivably because you still need to
either MitM the Chrome store or get Yahoo!'s credentials to the store.

------
dmboyd
Probably the obvious fix is for them to change the auto update path to https
rather than http on a subsequent update. Are there any good reasons why this
wouldn't have been done in the first place?

------
Isofarro
Hopefully Yahoo have patented this.

------
superxor
Any word on which Yahoo! services use this key?

~~~
mcpherrinm
Almost certainly nothing other than this addon. It would be silly to do
otherwise. But then, it'd be silly to leak your private key.

------
pagehub
If this had come out a year or two ago I may have considered trying it.

Still too disgusted at the way the company has been run recently to even
consider using their products.

------
Getahobby
I don't know why he uses the term "private certificate file." It is a private
key.

