Launch of Yahoo's Axis Web Browser Tainted by Security Snafu

Yahoo's first venture into the world of web browser production was always likely to be memorable, but in the end it stood out for its glaring security glitches rather than its slick operation.

On Wednesday evening, Yahoo launched Axis, billed as a 'search browser' that allows users to potentially skip a step in the surfing process by visually perusing thumbnails of other webpages without leaving the page they are on.

The fraught internet corporation appear to have bypassed another element typical of browsing software as they neglected to include any elucidation of their terms of service, instead leaving a placeholder announcing where the TOS would eventually go

More worryingly, a blogger and hacker - who named himself as Nik Cubrilovic - discovered that the Yahoo Axis Chrome extension discloses its private certificate file, potentially allowing for rogue extensions to be produced.

He pointed out the various dangers of this security lapse, noting that with a fake extension, hackers could design counterfeit packages capable of capturing a range of web traffic, including sensitive information like passwords and session cookies.

Cubrilovic was particularly derisive about the relatively remedial nature of the weakness.

"There is also an element of obviousness in this vulnerability. Any developer who is familiar with how Chrome extensions are verified who looked at the source of this package would have seen and noticed the certificate file," he said.

In response to Mr Cubrilovic's post, a user identifying themselves as Ethan Batraski of Yahoo's Search Innovation Group, claimed the company had responded to the threat immediately.

"We recently learned of this Chrome vulnerability with Yahoo Axis and immediately disabled the Chrome extension. We blacklisted the key with Google taking effect immediately. We take these types of issues very seriously," Batraski said.

CNET is currently waiting for an official response from Yahoo regarding these issues.

Source: CNET

Image Credit: Steven Musil/CNET