Yahoo! released its Axis extension for Chrome and in the process accidentally leaked its private security key that could allow anyone to create malicious plugins looking like official Yahoo! software.
Users should not install the extension “until the issue is clarified,” said Nik Cubrilovic, an entrepreneur based in Australia and security researcher.
Cubrilovic looked at the extension’s source code and found the private certificate, which Yahoo! uses to sign the application to prove it is genuine and unaltered. The result is that an attacker could forge a malicious extension that Google’s web browser would verify as coming from Yahoo!, he said.
All sorts of attacks could come with a spoofed extension; the most obvious of these would be to create and sign a traffic logger to capture a victim’s web activity, Cubrilovic said.
“The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo! With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!
“The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victim’s machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.”
He also produced a proof-of-concept of a spoofing attack and instructions on how to remove the extension.
Yahoo! posted a replacement web search extension that doesn’t include the private half of the security certificate. The new plugin, billed as a search browser, is also available for Firefox, Internet Explorer, Safari, and iPhones and iPads.