H-Online: Yahoo! introduced a new “browser”, Axis, last night, both as a standalone application for iPhone and iPad and as a browser extension on Chrome, Firefox, Internet Explorer and Safari. Axis is meant to offer faster, smarter searching using Yahoo’s services. Within hours of the launch, hacker and blogger Nik Cubrilovic posted on his blog that the Chrome extension came with a worrying extra, a Yahoo private certificate file which was used to sign the extension package and prove the package’s authenticity to the Google browser.
With the private key in the wild it would be possible to create and sign an extension which appeared to be from Yahoo!; Cubrilovic demonstrated this by creating “yahoo-spoof“, a lightly modified version of the extension, signed with the private certificate. According to Cubrilovic, there was no password associated with the certificate, which allowed this signing to take place, and the build script was also included in the extension.
It would have been possible, if DNS was appropriately compromised, to have updated a legitimate Axis extension with a correctly signed but malicious version. Given how new Axis is, this would have been unlikely, but leaving a private certificate in the distributed extension does raise questions over how through and secure Yahoo’s release process is. A member of the Axis team, Ethan Batraski, commented on various sites that Yahoo! had pulled down the Chrome extension and blacklisted the exposed certificate. The company has since released an updated version of the Chrome extension signed with a new private certificate.