Reshared post from +Linda Lawrey
Oops. Yahoo! leaks! private! key! in! Axis! Chrome! debut!
The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo! With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!
The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victim's machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.
Yahoo! has since apologised and posted a replacement web search extension that doesn’t include the private half of the security certificate.
Yahoo! leaks! private! key! in! Axis! Chrome! debut! • The Register
Yahoo! today released its Axis extension for Chrome – and accidentally leaked its private security key that could allow anyone to create malicious plugins masquerading as official Yahoo! software. Aus…