Yahoo has just released its Axis extension — a visual search tool that links across desktop and mobile devices — but sadly, there’s a hitch. During the release, Yahoo managed to leak a private security key in its Chrome version, that could allow anyone to create malicious plugins masquerading as official software. Oops.
The Register reports that Nik Cubrilovic revealed the mistake on his blog, explaining that users should not install the extension “until the issue is clarified”. Hidden amongst the Chrome source code of the of the Axis extension is a private, unencrypted certificate, which allows Yahoo to sign the app, in the process proving it genuine. But it shouldn’t be visible to users. Because it is, there’s nothing stopping people from copying it and including it in malicious software, which could trick Google into thinking it was legitimate.
Fortunately, Yahoo has since posted a replacement version of the extension without the problem. Still, Yahoo: don’t you think it’s time you got a grip? [The Register]