Yahoo! today announced their new Axis web browser. It is implemented as an extension to Chrome, Firefox and Internet Explorer.
I installed the Chrome extension (direct link to original Chrome extension, probably not a good idea to install it) with the idea of checking out the source code. The first thing I noticed is that the source package contains their private certificate file used to sign the extension:
The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo!. With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!
The code for the original Yahoo! extension, and the forged extension I created have been checked into GitHub in a repository at http://github.com/nikcub/yahoo-spoof
The source is the same as the original Yahoo! Axis extension except for this content script which triggers an alert.
Warning: Only install the forged extension if you know what you are doing
This is a proof of concept. When you click on that link it will install the extension in Chrome. To remove it go to
Window -> Extensions (or
Options -> Extensions on Windows, IIRC) or the address
chrome://extensions, find the spoofed package and remove it.
The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.
I immediately reported this to Yahoo! on their security contact address and have yet to hear back.
Source: New Web Order