Red-faced, Yahoo has released a new version of its Axis browser to fix a serious security flaw that would have allowed attackers to build malicious extensions for Web browsers. If you downloaded the Chrome extension immediately after its launch, you should re-install the latest version.
Yahoo originally released the new search and browsing tool on May 23. Available for desktop computers, mobile devices, and as an extension for major Web browsers, Yahoo touted the Axis tool’s predictive search capabilities. PCMag’s Michael Muchmore took a look at Yahoo! Axis recently.
While poring over the source file for the Chrome extension, Australian researcher Nik Cubrilovic noticed Yahoo had accidentally included its private PGP key that was used to digitally sign the code. The Chrome Web browser treats the PGP key as proof the application is legitimate and comes from a trusted source.
“In other words, any of us could write an app and fairly convincingly pretend that it was actually from Yahoo,” wrote Joshua Long on the Sophos Naked Security blog.
What is a Private Key?
Each extension comes with a pair of public and private keys that are unique to the developer. The private key is used to sign the extension, and the browser uses the public key to authenticate the signature. Private keys should always be kept secret to prevent anyone else from forging software.
Cubrilovic cloned the Axis extension for Chrome, re-signed it with Yahoo’s key, and successfully installed the spoofed extension onto Chrome. Malicious developers could easily create their own extensions and use Yahoo’s private key to make Chrome think the packages belonged to Yahoo.
“With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!” Cubrilovic wrote on his blog.
Type of Attacks
With the private certificate file, it would be possible to create a fake extension that captures all Web traffic, including passwords, session cookies, and other network activity, Cubrilovic wrote on his blog. Attackers could use DNS spoofing techniques to trick users with Axis already installed to update with the fake version of the extension, he said.
Yahoo worked quickly to resolve the issue and has released a new Chrome plug-in that doesn’t contain the private key. It is also using a new certificate so that the old one can be revoked.
Cubrilovic and other researchers plan to investigate whether the Chrome browser can determine when an extension was signed with a revoked certificate.
Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with Gmail.
According to its developers, GPG4Browsers is a prototype, but it supports almost all asymmetric and symmetric ciphers and hash functions specified in the OpenPGP standard.
The OpenPGP specification uses public key cryptography to encrypt and digitally sign messages and other data. It is based on the original PGP (Pretty Good Privacy) program and is most commonly used for securing email communications.
Setting up a PGP variant to work with a particular email client on a local computer can prove troublesome for less technical users, not to mention that it’s not portable. A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.
At the moment, GPG4Browsers only works in Google Chrome and is not available for download from the Chrome Web Store. However, if the name is any indication, the extension will be ported to other browsers in the future.
Users interested in giving it a try must download it manually and install it as an unpacked extension. This can be done from the Tools Extension page by checking the “Developer mode” box and clicking on “Load unpacked extension.”
The current release is limited by the fact that it cannot generate private keys, although the menu for doing this is present, so the feature will most likely be implemented in the future.
Importing public and private keys works fine and when browsing on Gmail a black lock icon is displayed in the address bar. Clicking on it will open a dialog for composing an encrypted or a digitally signed message.
Similarly, when an encrypted message arrives in the Gmail inbox, the browser asks users if they want to open it with GPG4Browsers. The extension can decrypt messages signed with GnuPG (GNU Privacy Guard), a popular open source PGP implementation, but only if data compression isn’t used.
The GPG4Browsers source code is available under a GNU Lesser Public License so the tool can be easily improved to support additional webmail providers. The developers also provide documentation which explains the available APIs.
This means that GPG4Browsers shouldn’t probably be used on a computers system when there’s reason to believe that it might be infected with malware or compromised or in some other form. However, in such cases the user can always boot from a live Linux CD or a similar read-only environment.