Yahoo! has released a new browser for iPad and iPhone, dubbed "Axis," along with corresponding extensions for desktop versions of Chrome, Firefox, Safari, and IE 9.
Within hours of the launch, a Security researcher Nik Cubrilovic discovered that Yahoo mistakenly bundled their own private certificate file inside the Chrome extension version of Axis.
"A private key is used by a developer to sign an extension package in order to prove that the extension is actually from the developer. If a malicious third party were to obtain the private key, they would be able to release an extension signed with that developer's certificate." Sophos security researcher says.
With the private key in the wild it would be possible to create and sign an extension which appeared to be from Yahoo!
Cubrilovic used Yahoo's own certificate to sign a forged version of the Chrome extension as a proof of concept.
Cubrilovic writes about the implications of Yahoo's inclusion of the private certificate:
"The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension."