Yahoo! accidentally included their private certificate file inside the Axis Chrome extension
This project is a test package signed using the certificate. Source is in
src a test build signed with the cert is in
The original package is in
original_build and the unpacked original source is in
The spoofed package has the exact same source except it adds a content script.
To test install the package click on the raw link:
In this repo
src- the source for the forged package with added content script
build- a build of the forged package with added content script
original_src- original Yahoo! source for Axis
original_build- the original package from Yahoo!
Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.
I have published a blog post about this issue. Updates and responses will be posted there.
Follow latest on my Twitter at @nikcub