Yahoo! forced to fix Chrome extension after Axis launch

News by Dan Raywood

Yahoo! has entered the browser market with the launch of Axis, but security flaws have already been detected in the Chrome extension.

Yahoo! has entered the browser market with the launch of Axis, but security flaws have already been detected in the Chrome extension.

Yahoo! said that Axis displays search results in a "more convenient and compelling format", at the top of the page in visual thumbnails that can be scrolled through above a web page.

Adverts will not be shown next to Axis search results initially, but Yahoo! said that the visual format will be ideal for video commercials and graphical marketing while it plans to store search activity on its servers so users can have access to their past activity on any computer or mobile device they log in from. Google and Facebook, as well as Yahoo!, logins will be accepted.

A version was launched into the Apple app store last night with plug-ins available for most major browsers.

A letter released to clients yesterday said that Axis redefines what it means to search and browse as it allows users to get instant answers and visual previews so they never have to leave the page they are on to view their search results again, while they can move seamlessly across devices, picking up wherever they left off as they move across the desktop, iPhone and iPad.

In terms of errors, TheNextWeb spotted that the terms and conditions page was initially blank after launch; this is now completed.

However, according to research by ‘entrepreneur, hacker and blogger' Nik Cubrilovic, after installing the Chrome extension of Axis to look at the source code, he noticed that the source package contains the private certificate file used to sign the extension.

He said: “The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo!. With access to the private certificate file, a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!.

“The clearest implication is that with the private certificate file and a fake extension, you can create a spoofed package that captures all web traffic including passwords, session cookies, etc.

“The easiest way to get this installed onto a victim's machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension. I immediately reported this to Yahoo! on their security contact address and have yet to hear back.”

TheNextWeb later posted that Yahoo! had disabled the Google Chrome extension for Axis and said it was "actively working towards a resolution and expects to have a fix shortly".

A member of Yahoo!'s Axis team provided a further statement that read: “Since discovering this issue we have immediately pulled down the Chrome extension. We have blacklisted the exposed cert key with Google which has resolved the vulnerability. An updated chrome extension should be available within the next 30 minutes with this issue completely resolved.

“We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologise for any inconvenience.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews