Yahoo fumbles security in the Axis browser launch

As every top companies of the world were doing everything they can do to wax stronger in order to control a large percentage of the market, the management at Yahoo, after a turbulent season (first, sacking majority of its leaders due to one reason or the other and second, losing large percentage of its business authority to competitors), has finally announced their own version of a standard alone web browser called AXIS – but the browser is an unfinished product. 🙂

The browser according to a confirmed source says that Yahoo failed to publish the “terms of service” for its new browser thereby causing the browser to have some loopholes.

It was announced yesterday by Yahoo but the browser was unfinished product as we’ve just said because the company rushed into releasing the product to the market.

Axis is a product by Yahoo Inc., basically designed to eliminate the existence of middleman in the usual search process and direct all users from their query process to the exact page they wanted to go to without hassle of visiting third party pages before they would be lead to the normal query page.

That means, if the browser eventually becomes a success, Mozilla and Google Chrome that normally redirects users to default search engine page such as will find a good competitor, which is Axis.

Few months ago, we cover an article here when Mozilla eventually signed an agreement with Google for its official homepage which is a sign that the browser is becoming more or less of Google’ supporters for Chrome’ success. Even since then, according to my own experience, Mozilla has never been that good to me due to bugs and others.

Apart from the vulnerability of the new Axis browser, it does not stop there because that wasn’t only where the company did messed up, the troubled internet pioneer company also let out an explanation of its terms of service – truly an unfinished product. 😛

On its official page, there’s a text saying “Terms will go here” which shows that the company was rushed into the release of the product yesterday which supposes not to be that way. They suppose to spend some time in giving people a beta version of the product so that they can give either good or bad review on it in order to help them deliver the best that the people will accept.

Since majority of tech related products’ users doesn’t care to read the terms of service of most of the products they used before trying to use them, it shows that many of them won’t notice majority of these issues in the browser release. Even fewer of tech products users have ever read the terms of services since date according to statistics. But, my concern is about what Nik Cubrilovic, a blogger and hacker recently described in his blog post. He said he found out that Yahoo Axis chrome extension leaks the browser’s certificate file thereby making it easy for counterfeit extensions to have their ways:

“It is very clear that with the private certificate file and a fake extension, hackers can easily create spoofed packages that will capture all web data including web traffic, passwords, browser session cookies, etc.”

He continued further by saying that the easier way to get that spoofed package onto the victim’s PC would be by DNS spoofing the update URL for the extension when next there’s an update for the extension. That means, when next the extension attempts to update, it will silently install and by default run the spoofed extension onto the browser.

In an attempt to curb the situation, Cubrilovic said he had earlier reported the vulnerability to Yahoo but ever since had not yet heard a feedback from them concerning axis vulnerability

There’s also an element of openness in this vulnerability,” Cubrilovic said in his blog post. And he continued further by saying; “any developer who’s familiar with how Google Chrome extensions are verified would have seen and noticed where the certificate file is located in there.”

However, in response to Cubrilovic’s post, a user identifying himself as the head of product for the Search Innovation Group at Yahoo by name, Ethan Batraski, said the popular search company was taking needed steps on the matter and it will be resolved as soon as possible. Ethan said:

We recently learned of this Chrome extension vulnerability with Yahoo Axis and immediately, we have disabled the Chrome extension in order to control the situation. In addition to that, we’ve blacklisted the key with Google and it is taking into effect immediately. We take these types of issues very seriously and are working around the clock to ensure this is resolved.

Is this the end of Yahoo Axis? Absolutely no! We’ll get you noticed as soon as the issue is resolved.

Share this post

Related articles