The security threat, which only affected the Chrome extension, was quickly resolved thanks to a diligent hacker

May 24, 2012 Top Security News Apple Hires Kapersky Labs To Test Mac Security The Flashback malware threat that recently plagued Mac computers opened a lot of eyes to the fact that Apple's computers may not be secure as their users have always believed. The Flashback malware attacked users'... 55,000 Twitter Accounts Hacked, Passwords Exposed Hackers appear to have successfully exposed the passwords of as many as 55,000 Twitter accounts yesterday, sparking the website to conduct an investigation into just how the security breach occurred. Yahoo Axis Private Certificate Key Leaked At Launch By: Sean Patterson Though the security issue has been resolved, Yahoo slightly botched the launch of Axis, its new mobile browser and desktop extension, by leaking its private certificate file in the source code of the Chrome extension. The private certificate was used to sign the extension, and could have been used to create a false extension that would be authenticated as officially from Yahoo. Nik Cubrilovic, an entrepreneur, hacker, and blogger at New Web Order, revealed Yahoo's mistake in a blog post. There, he warned users of the danger the leak posed and demonstrated how the vulnerability could be exploited by creating his own, harmless, forged extension. From the blog post: The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension. Cubrilovic, after realizing what dangers the leak posed, quickly reported the mistake to Yahoo. According to The Next Web, Yahoo responded by pulling down the Chrome extension and blacklisting the leaked certificate key. The Next Web quoted a Yahoo spokesperson as saying: Since discovering this issue we have immediately pulled down the chrome extension. We have blacklisted the exposed cert key with Google which has resolved the vulnerability. An updated chrome extension should be available within the next 30 minutes with this issue completely resolved. We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologize for any inconvenience. A new Chrome extension is already available for Axis. The mishap only slightly tarnishes what was otherwise a smooth launch for Yahoo's new mobile browser. There have been no reports of any malicious software spread using the vulnerability, so score one for Cubrilovic and the rest of the white hat hackers of the world. (New Web Order via The Next Web) About the Author: Sean is a staff writer for SecurityProNews. Follow Sean on Google+: +Sean Patterson and Twitter: @St_Patt

SecurityProNews is brought to you by: SecurityConfig.com NetworkingFiles.com ITmanagementNews.com NetworkNewz.com DatabaseProNews.com SQLProNews.com ITcertificationNews.com SysAdminNews.com LinuxProNews.com WirelessProNews.com About SecurityProNews SecurityProNews is updated in real time with vital internet security alerts, news and in-depth articles for IT Managers. SecurityProNews understands that IT Management Begins With Security.

	Advertising	Newsletters	Corporate Info	Site Map	Support
--This email is a service of SecurityProNews-- , Inc. 2549 Richmond Rd. Lexington KY, 40509 All Rights Reserved. Terms under which this service is provided to you. Read our privacy policy. Contact us. SecurityProNews is part of the iEntry Inc. Network of sites and newsletters.