yahoo-spoof
yahoo-spoof copied to clipboard
nikcub
A forged Yahoo Axis chrome extension
Yahoo Axis Forged Package
Yahoo! accidentally included their private certificate file inside the Axis Chrome extension
This project is a test package signed using the certificate. Source is in src a test build signed with the cert is in build.
The original package is in original_build and the unpacked original source is in original_src
The spoofed package has the exact same source except it adds a content script.
Install
To test install the package click on the raw link:
https://github.com/nikcub/yahoo-spoof/raw/master/build/yahoo-spoof.crx
All that it does is trigger a javascript alert on every page load on every site/domain. It does this via an added content script.
Contents
In this repo
src- the source for the forged package with added content scriptbuild- a build of the forged package with added content scriptoriginal_src- original Yahoo! source for Axisoriginal_build- the original package from Yahoo!
Implications
Working that out now. I think that if you can DNS hijack the update URL a forged package would update and install silently.
Updates
I have published a blog post about this issue. Updates and responses will be posted there.
Follow latest on my Twitter at @nikcub
nikcub