Adobe accidentally posted its secret PGP key on the blog.

Adobe randomly published its PGP public and private keys on the Incident Response Team Blog (PSIRT). Usually, only the public key is published on this page - it is needed to confirm the authenticity of the letters from PSIRT. But this time, the private one was also published under the public key, which is used for signing (see screenshot).

On September 22, 2017, security specialist Juho Nurminen was the first to notice this fact.

Most likely, the incident was caused by the fact that a certain employee of the company did not understand the difference between public and private keys - and published both. Probably , the employee, when exporting the key to a text file through the Mailvelope browser extension, slightly confused the buttons and pressed All instead of Public.

Needless to say, threatening to publish a private key. Anyone on the Internet can send encrypted emails by signing with an authentic Adobe signature (you also need a password). In addition, anyone can decrypt the encrypted emails that Adobe sent - and they may contain information about 0day vulnerabilities in its products. In principle, you can now decrypt old encrypted emails sent before September 22. Of course, you need to have access to the letters themselves.

The likelihood of new exploits for Adobe products in connection with this incident is low. It simply says that some employees need to listen to a lecture on cryptography.

To date, the Adobe incident response team has generated a new key pair and posted a new public key.


All Articles