Adobe's security team reveals its private PGP key

Quack quack oops.

Adobe's security team reveals its private PGP key

A careless finger fumble can easily put the security of your organisation at risk.

All you need to do is click on the wrong link, open a malicious attachment, enter your password on a dodgy phishing site, or - in the case of Adobe - publish your private PGP key for anyone to see on your security blog.

Yes, you read that right - Adobe's security team published the private PGP key for its psirt@adobe.com email account.

There aren't enough face-palming GIFs in the world to express just how much of a goof that is.

It was an accident, of course. One assumes a member of staff was updating the public key used by Adobe's security team for encrypted communications with the infosecurity community and simply cut-and-paste more than they should have done.

But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe's security team. Furthermore, the key could have been used to unlock messages sent to Adobe's security team from researchers who had discovered zero-day vulnerabilities in - say - Flash Player. That's not the kind of information you want to fall into the hands of a sophisticated hacking group or intelligence agency.

One also has to wonder how long it would have taken for the key to be revoked if security researcher Juho Nurminen had not privately informed Adobe about the problem.

After Adobe hurriedly revoked the PGP key, Juho was safe to publicise his discovery.

https://twitter.com/jupenur/status/911286403434246144/photo/1

Adobe has issued a statement reassuring customers that it doesn't believe any harm was done.

Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.

Well, no harm apart from the damage down to Adobe's reputation, of course. People will be joking about this finger fumble for years.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episodes:

,

2 Responses

  1. dan

    September 29, 2017 at 2:55 pm #

    "Your PGP private key is stored on your disk in encrypted form. In particular, it is encrypted using your passphrase. To decrypt a file, PGP needs (1) your passphrase, and (2) the encrypted private key file; from these it can reconstitute your private key, and then decrypt the file."
    To be clear, what was posted was the private key file, not the decrypted private key.

    "But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe's security team."
    This would also require the passphase to decrypt the private key file

    "Furthermore, the key could have been used to unlock messages sent to Adobe's security team from researchers who had discovered zero-day vulnerabilities"
    This would also require the passphase to decrypt the private key file, along with a copy of the email message send to the security team

    • Graham Cluley in reply to dan.

      September 29, 2017 at 4:12 pm #

      Quite correct Dan! Yes, the private key would need to be decrypted with the passphrase. Let's hope they chose a strong, hard-to-crack passphrase.

      I think we're all in agreement that publishing a private key is still a very bad idea.

Leave a Reply