Yahoo! launched its Axis search browser for iOS, PCs, and Macs this morning, but did it rush it out the door? Some have found it strange how Yahoo! offers Axis as an extension rather than an actual browser, and that may have lead to a security issue with Chrome. Extensions are signed with a security certificate so that Google knows it comes from a trusted source. Yahoo! seem to have included its own private certificate in the browser code for all to see.
That spells big security concerns for those who can gain access to the private certificate file. It would allow developers to sign their own extensions using Yahoo!’s key, which could lead to malicious extensions being installed without Chrome questioning the authenticity. Nik Cubrilovic has detailed the vulnerability on his blog, as well as creating a proof of concept exploit using Yahoo!’s private certificate.
Cubrilovic recommends that everyone using Chrome remove the extension immediately due to security concerns. An attacker could potentially create an extension that could capture all internet traffic, including passwords. Cubrilovic says he has contacted Yahoo! regarding the issue, but has yet to hear back from its security team.
On the comments of Cubrilovic’s blog, however, a member of Yahoo! identifying themselves as Ethan Batraski says that the team is aware of the vulnerability and is working to fix it: “We have blacklisted the key with Google and is taking into affect immediately.We take these type of issues very seriously and are working around the clock to ensure this is resolved.” In the meantime, be careful of what extensions you’re installing.