WebProNews

Tag: nik cubrilovic

  • Yahoo Axis Private Certificate Key Leaked at Launch

    Though the security issue has been resolved, Yahoo slightly botched the launch of Axis, its new mobile browser and desktop extension, by leaking its private certificate file in the source code of the Chrome extension. The private certificate was used to sign the extension, and could have been used to create a false extension that would be authenticated as officially from Yahoo.

    Nik Cubrilovic, an entrepreneur, hacker, and blogger at New Web Order, revealed Yahoo’s mistake in a blog post. There, he warned users of the danger the leak posed and demonstrated how the vulnerability could be exploited by creating his own, harmless, forged extension. From the blog post:

    The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victims machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension.

    Cubrilovic, after realizing what dangers the leak posed, quickly reported the mistake to Yahoo. According to The Next Web, Yahoo responded by pulling down the Chrome extension and blacklisting the leaked certificate key. The Next Web quoted a Yahoo spokesperson as saying:

    Since discovering this issue we have immediately pulled down the chrome extension. We have blacklisted the exposed cert key with Google which has resolved the vulnerability. An updated chrome extension should be available within the next 30 minutes with this issue completely resolved. We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologize for any inconvenience.

    A new Chrome extension is already available for Axis. The mishap only slightly tarnishes what was otherwise a smooth launch for Yahoo’s new mobile browser. There have been no reports of any malicious software spread using the vulnerability, so score one for Cubrilovic and the rest of the white hat hackers of the world.

    (New Web Order via The Next Web)

  • Facebook Wiretapping Case Moves To California

    Last year, a woman in Mississippi filed a lawsuit against Facebook, alleging that the social networking site violated U.S. wiretap laws by tracking her browsing history. In the suit, Brooke Rutledge accused the site of breach of contract, trespassing, unjust enrichment, and invasion of privacy. Now, in what may be a sign that the case is getting a go-ahead, a Mississippi judge has transferred the suit to California.

    The reasoning behind the suit was based on the revelation that Facebook was tracking members’ browsing habits and storing the data even when they weren’t signed in to the site. After getting busted by Australian writer/hacker Nik Cubrilovic, Facebook avowed to remove the omni-tracking cookie but then returned it shortly after that was gone.

    Although Facebook has since promised to change their data retention policies, that doesn’t really change the fact that they may have violated federal wiretap laws in the United States. And, sorry Facebook, but if you broke the law, changing your habits after you get caught doesn’t automatically nullify your prior legal infraction. What’s more is that if this case should work out into Rutledge’s favor, which who knows at this point given how everybody’s suing tech companies for possible privacy violations these days, it’d be the first precedent of what could be a very long and extensive overhaul with how companies can collect and store users’ personal information.