X

Yahoo fumbles security in Axis browser launch

Troubled Internet pioneer forgets to publish terms of service for its new browser and also leaves the door open to an apparent vulnerability.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
See full bio
Steven Musil
2 min read

Yahoo made its first foray into the browser business this evening, but did it give us an unfinished product?

As my colleague Rafe Needleman explains, Axis is an aggressive product designed to eliminate the middleman in the usual search process and take visitors from query process straight to the desired page.

However, this doesn't appear to be the only step Yahoo skipped; the struggling Internet pioneer also left out an explanation of its terms of service. A search for those basic rules turns up a placeholder page that informs users:"Terms will go here."

Screenshot by Steven Musil/CNET

Granted, most users don't care about the terms of service and even fewer have actually ever read them. But more troubling is a little nugget that Yahoo apparently left in its new browser.

Nik Cubrilovic, a self-described blogger and hacker, found that the Yahoo Axis Chrome extension leaks its private certificate file, making it possible to counterfeit extensions:

The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension

Cubrilovic said he reported the vulnerability to Yahoo but has yet to hear back.

"There is also an element of obviousness in this vulnerability," he said in his post. "Any developer who is familiar with how Chrome extensions are verified who looked at the source of this package would have seen and noticed the certificate file."

CNET has contacted Yahoo for comment on the matter and will update this post when we learn more information.

In a comment attached to Cubrilovic's post, a user identifying himself as Ethan Batraski, head of product for the Search Innovation Group at Yahoo, said the company was taking steps to address the vulnerability:

We recently learned of this Chrome vulnerability with Yahoo Axis and immediately disabled the Chrome extension. We have blacklisted the key with Google and is taking into affect immediately.We take these type of issues very seriously and are working around the clock to ensure this is resolved.

[Via The Next Web]

Watch this: Yahoo gets visual with Web browsing