Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

A forged Yahoo Axis chrome extension

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 build
Octocat-spinner-32 original_build
Octocat-spinner-32 original_src
Octocat-spinner-32 src
Octocat-spinner-32 README.md
README.md

Yahoo Axis Forged Package

Yahoo! accidentally included their private certificate file inside the Axis Chrome extension

screenshot

This project is a test package signed using the certificate. Source is in src a test build signed with the cert is in build.

The original package is in original_build and the unpacked original source is in original_src

The spoofed package has the exact same source except it adds a content script.

Install

To test install the package click on the raw link:

https://github.com/nikcub/yahoo-spoof/raw/master/build/yahoo-spoof.crx

All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.

Contents

In this repo

Implications

Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.

Updates

I have published a blog post about this issue. Updates and responses will be posted there.

Follow latest on my Twitter at @nikcub

Something went wrong with that request. Please try again.