Adobe suffered a lot on Friday when its Private PGP keys were inadvertently published on its Product Incident Security Response Team(Blog).
A pair of Public and Private keys were published together, Keys could either decrypt messages sent to Adobe Product Incident Security Response Team(PSIRT).
Researcher Juho Nurminen who works for Finnish security company 2NS (Second Nature Security) as a pen-tester said risk posed by this leak could be stealing private messages or Phishing attack is possible.
The private key encrypted using a passphrase.Without knowing the passphrase, private Key is worthless.If the passphrase is weak, it can be brute-forced said researcher Juho Nurminen.
Since Adobe PSIRT don’t have direct contact with customers, therefore phishing on a wide scale is not a concern.
If Successfully decrypt the private key is not worth.Nurminen said “Decryption only comes into play if you’re able to intercept some encrypted messages first, which would be fairly difficult in general, and in this case, very unlikely to have ever happened.
Threatpost said, A Report sent to Adobe on Saturday for comment but not returned in time for publication.Hours later Nurminen’s private disclosure, Then after Adobe took down the post and generated a new private Key.
Once the key had been taken down, Nurminen tweeted screenshots showing the public and private key as well as a third screenshot showing that the key had been created Sept. 18, four days before the researcher stumbled upon it.
Asymmetric cryptography uses a public-private key pair to decrypt messages. Public keys are generally generated by the owner in order to simplify secure communication between two endpoints. Only Adobe knows how the private key was published in a public forum.
Actual consequences in terms of data loss etc. are likely zero,” Nurminen said he found an issue in an Adobe product during a software audit he conducted for his client.“The PSIRT email address was listed on the Adobe website as it should be, along with a link to the blog page containing the PGP keys,” Nurminen said. “The page was obviously supposed to contain only the public key, but instead it contained both the public and the private key.”
Nurminen sent a Twitter direct message to Adobe, Adobe responded that the issue would be forwarded to the appropriate security Team.After some time Nurminen reported the issue to Adobe PSIRT through its HackerOne program.
Finally, Nurminen said. “They closed the [HackerOne] ticket as fixed. I only tweeted out the screenshots once I knew the key was no longer in use. I haven’t heard anything more from Adobe after they closed the [HackerOne] ticket.”
