The new Yahoo search plugin which was only released a few hour ago is leaking a security certificate file in the Google Chrome Extension. This makes it possible for people to spoof the extension and record all your browsing, passwords etc.
What a stupid mistake by Yahoo. Anyone who has developed extensions for Google Chrome (myself included) knows about this. It's really annoying as I thought this was one of the first good things Yahoo have done in a long time yet it's now a PR and security nightmare.
It was Nik Cubrilovic who made the discovery and has outlined how to take advantage of the extension. You can visit his post for more info.
http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file
---------- Post added at 02:10 PM ---------- Previous post was at 11:44 AM ----------
Update
Yahoo have reacted. The chrome extension has being pulled from the Chrome Web Store and the certificate blacklisted with Google. An updated extension is expected to be released later today.
What a stupid mistake by Yahoo. Anyone who has developed extensions for Google Chrome (myself included) knows about this. It's really annoying as I thought this was one of the first good things Yahoo have done in a long time yet it's now a PR and security nightmare.
It was Nik Cubrilovic who made the discovery and has outlined how to take advantage of the extension. You can visit his post for more info.
http://nikcub.appspot.com/posts/yahoo-axis-chrome-extension-leaks-private-certificate-file
---------- Post added at 02:10 PM ---------- Previous post was at 11:44 AM ----------
Update
Yahoo have reacted. The chrome extension has being pulled from the Chrome Web Store and the certificate blacklisted with Google. An updated extension is expected to be released later today.
Last edited:
