“Oh Shit, Adobe” – The Company Accidentally Leaks Its Private PGP Key
Adobe is not a new name when it comes to security disasters. The company's Flash Player - due to be put to its deathbed by 2020 - continues to be riddled with security vulnerabilities. A latest employee gaffe has now resulted in the leak of Adobe's private PGP key into the wild.
Adobe publicly dumped its private PGP key
PGP or Pretty Good Privacy has been at the forefront of encrypted communications especially since Edward Snowden's NSA leaks. While not completely unbreakable, the messages that have been encrypted using PGP leak a lot of metadata that helps well-sponsored attackers to map out who a target is secretly communicating with. But, all is lost when the private key itself is exposed. While the private keys are themselves protected with pass phrases, they could be easily broken.
Spotted first by the security researcher Juho Nurminen, the key was discovered in the Product Security Incident Response Team blog that included the private PGP key instead of public.
Oh shit Adobe pic.twitter.com/7rDL3LWVVz
— Juho Nurminen (@jupenur) September 22, 2017
The exposure is problematic, if unlikely to be disastrous, as it enables attackers to spoof messages and pretend to be Adobe. While this appears to be a simple clumsy blunder, it could potentially also enable sophisticated attackers - and government intelligence agencies - to intercept emails, that may then lead them to use any exploits that have been discussed but haven't been patched up by the company.
— Eric Adler (@ericladler) September 22, 2017
"PGP keys can also be used to secure other types of files as well," Chris Vickery, director of Cyber Risk Research at UpGuard, wrote in a message to Wccftech. "The big concern with an Adobe PGP key getting out in the wild is that if a malicious actor had ever intercepted Adobe emails encrypted with that key, that actor would now be able to read the emails." It, of course, then applies to any files that may have been secured with PGP. "The attackers would now have the key necessary to read the data," he added.
While it's a long call to suggest that this could allow attackers to infect targets with malware since not many actually use it, the potential for problems also depends on how long it remained in the public space before it was discovered and then removed. It will certainly be one difficult Friday for Adobe employees.
- We have reached out to the Flash Player maker for a comment on this story and will update this space when we hear back.