Adobe suffered at a minimum a PR black eye on Friday when one of its private PGP keys was inadvertently published to its Product Incident Security Response Team (PSIRT) blog.
The company’s public and private key pair were published together, both of which could be used to either decrypt messages sent to Adobe PSIRT, or sign messages purporting to be Adobe PSIRT.
The risks posed by this leak, such as stealing private messages or carrying out a phishing attack, were lessened by a number of factors said researcher Juho Nurminen who works for Finnish security company 2NS (Second Nature Security) as a pen-tester. Nurminen discovered the publication of the private key as he was trying to report a vulnerability in an Adobe product to the company’s security team.
“The private key was encrypted using a passphrase. Without knowing the passphrase, the key is worthless. If the passphrase is weak enough, it can be brute-forced, though,” Nurminen said.
“Anyway, even if you successfully decrypt the private key, it still isn’t worth much,” Nurminen added. “Decryption only comes into play if you’re able to intercept some encrypted messages first, which would be fairly difficult in general, and in this case, very unlikely to have ever happened. Signing messages would be easier, but there’s not much to gain by doing that. PSIRTs normally aren’t in direct contact with any customers, so phishing on a large scale is not a concern. The average customer wouldn’t even know what the Adobe PSIRT is, so where’s the benefit in trying to impersonate them?”
A request sent to Adobe on Saturday for comment was not returned in time for publication. A few hours after Nurminen’s private disclosure, Adobe took down the post and generated a new private key.
Once the key had been taken down, Nurminen tweeted screenshots showing the public and private key as well as a third screenshot showing that the key had been created Sept. 18, four days before the researcher stumbled upon it.
Oh shit Adobe pic.twitter.com/7rDL3LWVVz
— Juho Nurminen (@jupenur) September 22, 2017
“The key was generated on Monday, and I discovered it on Friday,” Nurminen said. “It was added to the blog some time in between. That’s a really short time. I may have been the first person who even tried using the key. It’s possible no messages were ever actually encrypted or signed with it.”
Asymmetric cryptography uses a public-private key pair to decrypt messages. Public keys are generally published by the owner in order to simplify secure communication between two endpoints. Only Adobe knows how the private key was published in a public forum; PGP, meanwhile, is notoriously tricky to use, even for seasoned tech people.
“The whole situation is really bad PR for Adobe, but the actual consequences in terms of data loss etc. are likely zero,” Nurminen said.
Nurminen said he found an issue in an Adobe product during a software audit he conducted for a client.
“The PSIRT email address was listed on the Adobe website as it should be, along with a link to the blog page containing the PGP keys,” Nurminen said. “The page was obviously supposed to contain only the public key, but instead it contained both the public and the private key.”
Nurminen sent a Twitter direct message to Adobe, and they immediately responded that the issue would be forwarded to the appropriate security contact. Nurminen said after some time passed he then reported the issue to Adobe PSIRT through its HackerOne program.
“A bit later the key was taken down and revoked,” Nurminen said. “They closed the [HackerOne] ticket as fixed. I only tweeted out the screenshots once I knew the key was no longer in use. I haven’t heard anything more from Adobe after they closed the [HackerOne] ticket.”