Yahoo! plugs leaky Axis extension

Powered by SC Magazine
 

Chrome plugin loses shine at launch.

Yahoo!'s Chrome search extension dubbed Axis was found on its debut launch to have exposed a private certificate capable of allowing attackers to craft authentic but malicious plugins.

The flaw was detected by Aussie security researcher and coder Nik Cubrilovic who detailed a proof of concept interception attack that used the signing key on his blog.

The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo!," Cubrilovic said.

"With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!

“The clearest implication is that with the private certificate file and a fake extension, you can create a spoofed package that captures all web traffic including passwords [and] session cookies."

He said the code could be delivered by running a DNS spoof of the update URL which would silently install and run the spoofed extension during an update.

Yahoo! disabled the Google Chrome extension and issued a fixed version.

Yahoo!'s Axis team blacklisted the exposed certificate key with Google which it said resolved the vulnerability.

“We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologise for any inconvenience.”

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition


Yahoo! plugs leaky Axis extension
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1071

Vote