A forged Yahoo Axis chrome extension
JavaScript
Permalink
Failed to load latest commit information.
build
original_build
original_src added original source and build May 24, 2012
src
README.md

README.md

Yahoo Axis Forged Package

Yahoo! accidentally included their private certificate file inside the Axis Chrome extension

screenshot

This project is a test package signed using the certificate. Source is in src a test build signed with the cert is in build.

The original package is in original_build and the unpacked original source is in original_src

The spoofed package has the exact same source except it adds a content script.

Install

To test install the package click on the raw link:

https://github.com/nikcub/yahoo-spoof/raw/master/build/yahoo-spoof.crx

All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.

Contents

In this repo

Implications

Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.

Updates

I have published a blog post about this issue. Updates and responses will be posted there.

Follow latest on my Twitter at @nikcub