Skip to content

nikcub/yahoo-spoof

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Yahoo Axis Forged Package

Yahoo! accidentally included their private certificate file inside the Axis Chrome extension

screenshot

This project is a test package signed using the certificate. Source is in src a test build signed with the cert is in build.

The original package is in original_build and the unpacked original source is in original_src

The spoofed package has the exact same source except it adds a content script.

Install

To test install the package click on the raw link:

https://github.com/nikcub/yahoo-spoof/raw/master/build/yahoo-spoof.crx

All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.

Contents

In this repo

Implications

Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.

Updates

I have published a blog post about this issue. Updates and responses will be posted there.

Follow latest on my Twitter at @nikcub

About

A forged Yahoo Axis chrome extension

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published