The Adobe product security incident response team (PSIRT) accidentally published a private PGP key on its blog, once discovered the issue it quickly revoked it.
On Friday, the Adobe PSIRT updated its Pretty Good Privacy (PGP) key and published the new public key on the blog post. The new key should have been valid until September 2018, but something strange has happened. The security expert Juho Nurminen first noted that scrolling down in the blog post containing there were present both public and private PGP keys.
In a PKI infrastructure, messages to be sent to the recipient are encrypted with the public key it has shared (in the Adobe case it was published in the blog post), and only the legitimate recipient can read it by using the associated private PGP key.
The accidental disclosure of the private key could have allowed anyone to decrypt encrypted email messages sent by the users to the company.
The Adobe PGP key was generated using Mailvelope, a popular open source browser extension for OpenPGP.
Mailvelope allows users to export either the public key, the private key, or both by selecting the “All” option. The Adobe employee who was exported the public PGP key likely selected the “All” option and copied the generated data without noticing it was sharing the private PGP key as well.
Adobe has promptly removed the blog post and revoked the compromised private key, but it was too late because it is still possible to find copy of the post online. Adobe has generated a new key pair, and this time avoiding using Mailvelope, but using GPGTools.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.