Welcome to Google Chrome Plugins

Source of Plugins, Themes, Add-ons and information for the Google Chrome Web Browser!

Top Tip: Click here to Fix Windows Errors & Optimize Windows Performance

Yahoo Axis Search Extension Counters Security Flaw

by Abhinab Choudhury on May 25, 2012

Yahoo has been compelled to release another new version for the young Axis extension that it initially designed for Chrome web browser. The previous version contained some private key which would allow anyone to forge digital signature in extensions in the name of Yahoo.

Yahoo Axis Search Extension

Axis is an all new search tool that Yahoo released last Wednesday. Presently it has been serving desktop computers, in the form of an extension to Google Chrome, Firefox, IE, Safari & iOS devices.

yahoo chrome imageThe loophole in the security code was discovered by Nik Cubrilovic – A hacker cum Security Blogger. He found that the package includes secured cryptographic key which has been coded to sign Axis extension. With the help of that cypotographic key any one can forge an extension in the name of Yahoo and carry out fraudulent activity.

The Chrome format – CRX, usually contains public key which is a part of private-public key and is unique to the original creator. The other private key has been programmed to sign on the chrome plugin, while the general public key is meant to be checked by browser in order to verify authenticity of the developer and the application.

Yahoo Axis Code Compromised

Some of the pvt key allows a developer to sign in new extensions digitally or to also update the old ones. This must always be hidden from other users. An attacker could probably push in Yahoo-signed corrupted extension to browser which has Axis extension pre-installed and can be used to carry out DNS spoofing and other malicious activities.

This is what Yahoo said -“We worked quickly to resolve the issue and have issued a new Chrome plug-in,”via email correspondence. “Users who have downloaded the Yahoo! Axis for Chrome during 6-9 p.m under Pacific Time on 23rd May 2012, are requested to uninstall prev version and then reinstall the patched one at the earliest”


{ 1 comment }

1 dimitris 06.08.12 at 1:49 pm

Comments on this entry are closed.

Buzzify Networks

Google Chrome and Google™ is a Trademark of Google Inc - Google Chrome. - Sitemap - Privacy Policy - SEO Enhanced
This site chromeplugins.org is not affiliated with or sponsored by Google Inc.
Coming Soon Chrome Themes and Chrome Extensions