Yahoo! accidentally included their private certificate file inside the Axis Chrome extension
This project is a test package signed using the certificate. Source is in src
a test build signed with the cert is in build
.
The original package is in original_build
and the unpacked original source is in original_src
The spoofed package has the exact same source except it adds a content script.
To test install the package click on the raw link:
https://github.com/nikcub/yahoo-spoof/raw/master/build/yahoo-spoof.crx
All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.
In this repo
src
- the source for the forged package with added content scriptbuild
- a build of the forged package with added content scriptoriginal_src
- original Yahoo! source for Axisoriginal_build
- the original package from Yahoo!
Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.
I have published a blog post about this issue. Updates and responses will be posted there.
Follow latest on my Twitter at @nikcub