Last week Yahoo released Axis, a new browser as an app for iOS devices and an extension for the major desktop browsers. But it made a mistake, and ‘entrepreneur, hacker and blogger’ Nik Cubrilovic rapidly discovered that the Chrome extension included Yahoo’s private certificate key. This key is used to verify to Chrome that the code is genuine Yahoo code. Cubrilovic produced a quick proof of concept. “To demonstrate the vulnerability, I cloned the source to the extension and added a content script that will prompt a Javascript alert. I then signed my forged extension with the Yahoo! certificate, and installed it in Chrome.”
This is a major issue. Had Cubrilovic been black hat rather than white hat he could have produced a malicious extension that Chrome would have accepted as genuine Yahoo code. “There is no suggestion that the private key was stolen – it seems to have just been pure human error,” comments Richard Moulds, VP product strategy at Thales e-Security. Moulds advocates the use of a hardware security module (HSM) to prevent such problems – which, he adds, could be multiplied by auto-updates. “One of the downsides of auto update processes,” he points out, “is that if a new plug-in is published and it contains an error, it could be propagated to a large number of computers very quickly since they all run out and get the new software as soon as it is published.”
The TalkTalk incident was reported in the Register. It involves Greystone Telecom, a subsidiary of TalkTalk, which is “unwittingly sharing customer and contract details with the world.” Once again there is no suggestion of any malevolent act – merely a mistake. “The mistake is a classic,” writes the Register. “Microsoft’s IIS - the server that comes with Windows - is configured by default for anonymous access, and happily allows itself to be indexed (and cached) by the ever-helpful Google crawlers.”
The combination of leaving the default configuration together with Google hacking techniques meant that confidential files were left exposed to whoever came looking for them. “Open FTP servers are nothing new,” reports the Register, “but Google's omniscience makes them far more vulnerable. Where hackers would previously have had to scour random IP addresses in the hope of striking lucky, now they can just get Google to do their heavy lifting for them.”
These two events demonstrate one of security’s great truths that is not easily solved: the user remains the weakest link.