Saturday, May 18, 2024

Adobe Most Secured Private PGP Key Leaked Online

Adobe suffered a lot on Friday when its Private PGP keys were inadvertently published on its Product Incident Security Response Team(Blog).

A pair of Public and Private keys were published together, Keys could either decrypt messages sent to Adobe Product Incident Security Response Team(PSIRT).

Researcher Juho Nurminen who works for Finnish security company 2NS (Second Nature Security) as a pen-tester said risk posed by this leak could be stealing private messages or Phishing attack is possible.

Also Read Verizon Wireless Confidential Data Leaked Accidentally by Its Employee

The private key encrypted using a passphrase.Without knowing the passphrase, private Key is worthless.If the passphrase is weak, it can be brute-forced said researcher Juho Nurminen.

Since Adobe PSIRT don’t have direct contact with customers, therefore phishing on a wide scale is not a concern.

If Successfully decrypt the private key is not worth.Nurminen said “Decryption only comes into play if you’re able to intercept some encrypted messages first, which would be fairly difficult in general, and in this case, very unlikely to have ever happened.

If Successfully decrypt the private key is not worth.Nurminen said “Decryption only comes into play if you’re able to intercept some encrypted messages first, which would be fairly difficult in general, and in this case, very unlikely to have ever happened.

Nurminen said “Decryption only comes into play if you’re able to intercept some encrypted messages first, which would be fairly difficult in general, and in this case, very unlikely to have ever happened.

Threatpost said, A Report sent to Adobe on Saturday for comment but not returned in time for publication.Hours later Nurminen’s private disclosure, Then after Adobe took down the post and generated a new private Key.

Once the key had been taken down, Nurminen tweeted screenshots showing the public and private key as well as a third screenshot showing that the key had been created Sept. 18, four days before the researcher stumbled upon it.

Adobe key Leaked
Adobe key Leaked
Adobe key Leaked

Asymmetric cryptography uses a public-private key pair to decrypt messages. Public keys are generally generated by the owner in order to simplify secure communication between two endpoints. Only Adobe knows how the private key was published in a public forum.

Actual consequences in terms of data loss etc. are likely zero,” Nurminen said he found an issue in an Adobe product during a software audit he conducted for his client.“The PSIRT email address was listed on the Adobe website as it should be, along with a link to the blog page containing the PGP keys,” Nurminen said. “The page was obviously supposed to contain only the public key, but instead it contained both the public and the private key.”

Nurminen sent a Twitter direct message to Adobe, Adobe responded that the issue would be forwarded to the appropriate security Team.After some time Nurminen reported the issue to Adobe PSIRT through its HackerOne program.

Finally, Nurminen said. “They closed the [HackerOne] ticket as fixed. I only tweeted out the screenshots once I knew the key was no longer in use. I haven’t heard anything more from Adobe after they closed the [HackerOne] ticket.”

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles