Yahoo's Axis Browser Security Slip-Up
A promotional shot of Yahoo's Axis desktop Web browser plug-in.
CREDIT: Yahoo! Inc.
While Yahoo was celebrating the surprise launch of its Axis Web browser yesterday (May 23), a security researcher was swiftly exploiting a critical vulnerability in the new software, proving just how easy it would be for an attacker to steal users' passwords or even install malware.
Axis comes in the form of a stand-alone browser for mobile devices such as iPhones and iPads, but is a browser extension for desktop versions of Google Chrome, Microsoft Internet Explorer and Mozilla Firefox. In the Chrome version of the extension, Yahoo mistakenly left its private authentication certificate key in Axis' source file, according to independent researcher Nik Cubrilovic.
In the words of Kaspersky Lab researcher Dennis Fisher, "That key is what the Chrome browser would look for in order to ensure that the extension is legitimate and authentic, and so it should never be disclosed publicly."
In a blog posting today, Cubrilovic demonstrated how to create and install a bogus extension for Chrome.
"The certificate file is used by Yahoo to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo," Cubrilovic wrote. "With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo."
It wasn't clear from Cubrilovic's posting whether Firefox or Internet Explorer would be affected as well.
Data thieves could use Yahoo's certificate to create a corrupted version of Axis, which could be rigged to steal your password or hijack online banking sessions. Or they could create malware that uses Yahoo's certificate to fool anti-virus software and other authentication programs.
Cubrilovic, who in the past has identified critical security flaws, including Facebook's controversial tracking policy, said he had disclosed the exposed certificate to Yahoo, but has yet to hear back.
Soon after Cubrilovic posted his findings on his blog, a man identifying himself as Ethan Batraski, a director of product management at Yahoo, posted this comment: "A new Chrome extension will be available within the next 30 min with this issue resolved. We apologize for the inconvenience."
Batraski didn't mention whether Yahoo would revoke the exposed authentication certificate.
As a commenter responding to Batraski's comment wrote, "A new extension won't fix the problem, though, now that the private certificate out in the open."
Yahoo did not immediately respond to a request for comment from SecurityNewsDaily.