Yahoo has been compelled to launch a new version of its Axis extension for Google Chrome after the original one contained a private key that allowed anyone to digitally sign extensions in Yahoo’s name.
Axis is a new search tool that was released on Wednesday and is available for desktop computers, as an extension for Google Chrome, Mozilla Firefox, Internet Explorer and Safari.
Google Chrome extensions come packed as CRX files, which are essentially digitally signed ZIP-format archives. Every CRX file contains a public key that’s part of a private-public key pair unique to its creator. The private key is used to sign the extension, while the public key is used by the browser to verify the signature’s authenticity. Since private keys allow developers to digitally sign new extensions or update their old ones, they should always be kept secret.
Google Chrome automatically checks for extension updates by querying update URLs specified by developers. If attackers can forge the DNS (domain name system) responses received by the browser, they can force it to install a rogue digitally signed extension update from a server under their control.
Yahoo confirmed the security issue. “We worked quickly to resolve the issue and have issued a new Chrome plug-in,” a Yahoo spokeswoman said via email. “Users who downloaded Yahoo! Axis on Chrome between the hours of 6-9 p.m. Pacific Time on May 23, 2012, are encouraged to uninstall the previous version and reinstall the new version at axis.yahoo.com.”
