Yahoo released its Axis extension for Chrome and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo software. The result is that a miscreant could forge malicious software to run amok on unsuspecting victim computers and it would appear to be coming from Yahoo.
An Australian researcher exposed the certificate mistake, and said users should not install the extension "until the issue is clarified." He examined the extension’s source code and found the private certificate, which Yahoo uses to sign the application to prove it is genuine and unaltered.
There are myriad attacks that could be executed with a spoofed extension; the most obvious of these would be to create and sign a traffic logger to capture a victim’s Web activity. The researcher also produced a proof-of-concept of a spoofing attack and written up instructions on how to remove the extension.
Yahoo has since posted a replacement Web search extension that does not include the private half of the security certificate.
What is Axis? Axis is a new search and browsing tool from Yahoo that was released on Wednesday. It is available for desktop computers, as an extension for Google Chrome, Mozilla Firefox, Internet Explorer and Safari, as well as for iOS devices, as a stand-alone app.