Adobe’s security team reveals its private PGP key

Graham Cluley

Adobe's security team reveals its private PGP key

Adobe's security team reveals its private PGP key

A careless finger fumble can easily put the security of your organisation at risk.

All you need to do is click on the wrong link, open a malicious attachment, enter your password on a dodgy phishing site, or – in the case of Adobe – publish your private PGP key for anyone to see on your security blog.

Yes, you read that right – Adobe’s security team published the private PGP key for its psirt@adobe.com email account.

There aren’t enough face-palming GIFs in the world to express just how much of a goof that is.

It was an accident, of course. One assumes a member of staff was updating the public key used by Adobe’s security team for encrypted communications with the infosecurity community and simply cut-and-paste more than they should have done.

But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe’s security team. Furthermore, the key could have been used to unlock messages sent to Adobe’s security team from researchers who had discovered zero-day vulnerabilities in – say – Flash Player. That’s not the kind of information you want to fall into the hands of a sophisticated hacking group or intelligence agency.

One also has to wonder how long it would have taken for the key to be revoked if security researcher Juho Nurminen had not privately informed Adobe about the problem.

After Adobe hurriedly revoked the PGP key, Juho was safe to publicise his discovery.

https://twitter.com/jupenur/status/911286403434246144/photo/1

Adobe has issued a statement reassuring customers that it doesn’t believe any harm was done.

Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.

Well, no harm apart from the damage down to Adobe’s reputation, of course. People will be joking about this finger fumble for years.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Adobe’s security team reveals its private PGP key”

  1. "Your PGP private key is stored on your disk in encrypted form. In particular, it is encrypted using your passphrase. To decrypt a file, PGP needs (1) your passphrase, and (2) the encrypted private key file; from these it can reconstitute your private key, and then decrypt the file."
    To be clear, what was posted was the private key file, not the decrypted private key.

    "But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe's security team."
    This would also require the passphase to decrypt the private key file

    "Furthermore, the key could have been used to unlock messages sent to Adobe's security team from researchers who had discovered zero-day vulnerabilities"
    This would also require the passphase to decrypt the private key file, along with a copy of the email message send to the security team

    1. Quite correct Dan! Yes, the private key would need to be decrypted with the passphrase. Let's hope they chose a strong, hard-to-crack passphrase.

      I think we're all in agreement that publishing a private key is still a very bad idea.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES