Yahoo! today announced their new Axis web browser. It is implemented as an extension to Chrome, Firefox and Internet Explorer.
I installed the Chrome extension (direct link to original Chrome extension, probably not a good idea to install it) with the idea of checking out the source code. The first thing I noticed is that the source package contains their private certificate file used to sign the extension:
The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo!. With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!
Demonstration
To demonstrate the vulnerability, I cloned the source to the extension and added a content script that will prompt a Javascript alert. I then signed my forged extension with the Yahoo! certificate, and installed it in Chrome.
The code for the original Yahoo! extension, and the forged extension I created have been checked into GitHub in a repository at http://github.com/nikcub/yahoo-spoof
The source is the same as the original Yahoo! Axis extension except for this content script which triggers an alert.
Warning: Only install the forged extension if you know what you are doing
Here is a link to a build of the forged extension. It is the same as the original Yahoo! source except it includes a content script that will popup a javascript alert on each page, and it has been signed by Yahoo! (well, me).
This is a proof of concept. When you click on that link it will install the extension in Chrome. To remove it go to Window -> Extensions (or Options -> Extensions on Windows, IIRC) or the address chrome://extensions, find the spoofed package and remove it.
Implications
The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.
I immediately reported this to Yahoo! on their security contact address and have yet to hear back.
Source: New Web Order
Related Articles:
Be wary of any big MSM stories this weekAboveTopSecret.com New Topics
Leon Panetta Continues Lockdown of Alternative MediaAfterAmerica's Blog
Are We Really Moving At These Amazing Speeds Of Outer Space?
Violence rages in DamascusAL JAZEERA ENGLISH (Middle East)
Russia says West using 'blackmail' over SyriaAL JAZEERA ENGLISH (Middle East)
US news media to be monitored to curb leaksAL JAZEERA ENGLISH (Americas)Sheriff Arpaio: Obama’s Records Are Missing
For the U.S. government, #Anonymous is a terrorist organization
Olympic Gold Medal Looks Like Illuminati Symbol?AboveTopSecret.com New TopicsOn the Trails of Stars
PAL-V ONE’ flying car takes maiden flight
