Shortly after release, a severe security flaw was discovered in the Chrome Axis extension released by Yahoo.

Two days ago, Yahoo launched a new browser called Axis. Yahoo was looking to increase their market share among search engines by integrating it with current browsers in the desktop market by releasing it as a plug-in, and strengthening their mobile search engine market share by releasing a full iOS browser, with an Android version in the works. However, security researchers immediately noticed a major flaw in Axis once they got their hands on it.

Yahoo had, hopefully by mistake, included the private signing key in the source file for the browser. This would allow an attacker to create any signed extension for a browser that would then be treated as authentic.

For those that don’t have a grasp on public-key cryptography, I’ll do a quick explanation. Suppose I want to send you a message, but I don’t anyone to know what it says. Luckily, I have a program that will create an encryption key for me, because the math involved in creating cryptographic keys is very difficult. The program creates two keys, one public and one private, which are mathematically linked. When the key is used to encrypt something, only its partner can decrypt that message. I keep the private key and use it to encrypt a message, and then give my public key to you and anyone else who I want to communicate with securely. You then take my message and use the public key to decrypt the message I sent you. You can also use that key to encrypt a message to me, and only I will be able to read it, since only I have the private key.

Public key cryptography is commonly used in software to sign certificates, lines of code added to programs verifying that they came from a particular person, company, etc. The developer signs the code with the private key, and that encrypted signature is decrypted by the public key, which is available to everyone. This way, everyone knows that, for instance, Yahoo created this extension. However, by leaving the private key in the source code for their new browser, Yahoo has basically made it so that anyone can sign anything in their name, and it will appear to be valid.

The flaw was discovered by writer and hacker Nik Cubrilovic, who used the private PGP key to create a forged extension for Chrome and then proceeded to install it with nary a complaint or problem from the browser. He has uploaded the source code to GitHub for both the original Axis extension and his forged version. I will not link to it here, so if you want to cause mischief and mayhem you’re going to have to look for it yourself.

Yahoo has said that their developers are working on a new, fixed extension.