Skip to content
A forged Yahoo Axis chrome extension

Yahoo Axis Forged Package

Yahoo! accidentally included their private certificate file inside the Axis Chrome extension


This project is a test package signed using the certificate. Source is in src a test build signed with the cert is in build.

The original package is in original_build and the unpacked original source is in original_src

The spoofed package has the exact same source except it adds a content script.


To test install the package click on the raw link:

All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.


In this repo


Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.


I have published a blog post about this issue. Updates and responses will be posted there.

Follow latest on my Twitter at @nikcub

Something went wrong with that request. Please try again.