Thursday, May 24, 2012

Yahoo’s new Axis browser has a problem. It was released last night as both an app for iOS and as an add-on for desktop browsers, but Yahoo may not have dotted all the “i’s” before launch in the latter case.

The Google Chrome extension for Axis appears to have launched with a security hole, identified by self-described “entrepreneur, hacker and blogger” Nik Cubrilovic. After downloading the extension with the intention of checking out the source code, he found that the private certificate the extension uses to authenticate itself with Google essentially the code that performs the “handshake” that lets your computer know the download is safe  could be easily accessed by anyone.

That means if a hacker wanted to create a piece of malware that infects Chrome, they could use the certificate to make the malware seem authentic. Once it saw the certificate, Chrome would think the forged extension has been approved by Yahoo.

Cubrilovic says he tested the vulnerability by cloning the Axis extension, then emptying the content (i.e. Axis itself), replacing it with a Javascript alert. Sure enough, the extension installed perfectly as if it were a real Yahoo extension.

If a hacker were to use the certificate, they could theoretically create a piece of malware that could capture all the sites a user visited, including passwords and cookies, Cubrilovic writes. A commenter on Cubrilovic’s site claims to be Ethan Batraski, Yahoo’s director of product management. He said the company would release an updated extension that would resolve the issue.

A blog post from Sophos, a digital-security company, confirms Yahoo did replace the Chrome extension. However, the post says it’s unclear whether Chrome will actually know that the earlier certificate has been revoked if a user tried to install a cloned extension using it. The site recommends waiting a few days before trying out Axis for Chrome.