U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Adobe accidentally leaked online its Private PGP Key

The Adobe product security incident response team (PSIRT) accidentally published a private PGP key on its blog, once discovered the issue it quickly revoked it. On Friday, the Adobe PSIRT updated its Pretty Good Privacy (PGP) key and published the new public key on the blog post. The new key should have been valid until September […]

DataVault encryption software

The Adobe product security incident response team (PSIRT) accidentally published a private PGP key on its blog, once discovered the issue it quickly revoked it.

On Friday, the Adobe PSIRT updated its Pretty Good Privacy (PGP) key and published the new public key on the blog post. The new key should have been valid until September 2018, but something strange has happened. The security expert  Juho Nurminen first noted that scrolling down in the blog post containing there were present both public and private PGP keys.

In a PKI infrastructure, messages to be sent to the recipient are encrypted with the public key it has shared (in the Adobe case it was published in the blog post), and only the legitimate recipient can read it by using the associated private PGP key.

encryption PGP key

The accidental disclosure of the private key could have allowed anyone to decrypt encrypted email messages sent by the users to the company.

The Adobe PGP key was generated using Mailvelope, a popular open source browser extension for OpenPGP.

Mailvelope allows users to export either the public key, the private key, or both by selecting the “All” option. The Adobe employee who was exported the public PGP key likely selected the “All” option and copied the generated data without noticing it was sharing the private PGP key as well.

Adobe has promptly removed the blog post and revoked the compromised private key, but it was too late because it is still possible to find copy of the post online. Adobe has generated a new key pair, and this time avoiding using Mailvelope, but using GPGTools.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – PGP key, Adobe)

[adrotate banner=”13″]