Yahoo has confirmed that it has disabled the Google Chrome extension for its new Axis browser, after security concerns were raised by a developer who was able to forge the extension.
A company spokesperson provided The Next Web with the following statement that confirms the temporary shutdown:
Yahoo! takes online security seriously. We recently learned of a vulnerability with Yahoo! Axis on Chrome and immediately disabled the Chrome extension. We are actively working towards a resolution and expect to have a fix shortly.
Additionally, a member of Yahoo’s Axis team provided a further statement in response to our previous post:
Since discovering this issue we have immediately pulled down the chrome extension. We have blacklisted the exposed cert key with Google which has resolved the vulnerability. An updated chrome extension should be available within the next 30 minutes with this issue completely resolved. We take issues like this very seriously and are dedicated to working around the clock to ensure resolution. We apologize for any inconvenience.
The closure come after developer Nick Cubrilovic unearthed a major flaw that sees the Chrome extension leaks its private certificate file. That makes it is vulnerable to being forged and cloned into fake extensions, as he explains:
The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc.
It’s been a mixed bag for the new browser. Though it has been given a positive welcome by some, it has suffered from the extension security, while someone at the firm forgot to publish its terms and conditions page and other tech pundits have cast doubt over the timing of Yahoo’s entry into the browser space.
As we revealed last week, Google Chrome had just overtaken Internet Explorer as the Web’s most popular option. With Mozilla (Firefox), Opera, Apple (Safari) among the other players fighting for attention, it remains to be seen if there is space for yet another browser.