NBD: Adobe just dumped its private PGP key on the internet

Change the name to A-d'oh!-be

Updated An absent-minded security staffer just accidentally leaked Adobe's private PGP key onto the internet.

The disclosure was spotted by security researcher Juho Nurminen – who found the key on the Photoshop giant's Product Security Incident Response Team blog, ironically. That contact page should have only included the public PGP key.

Adobe has not returned a request for comment on the matter, possibly because it has slightly more pressing concerns at the moment. Namely, key rotation and internal public-private key education. It has also torn down its private key from the security blog.

It goes without saying that the disclosure of a private security key would, to put it mildly, ruin a few employees' Friday. Armed with the private key, an attacker could spoof PGP-signed messages as coming from Adobe. Additionally, someone (cough, cough the NSA) with the ability to intercept emails – such as those detailing exploitable Flash security vulnerability reports intended for Adobe's eyes only – could use the exposed key to decrypt messages that could contain things like, say, zero-day vulnerability disclosures.

Armed with that info, miscreants could exploit that information to infect victims with malware before Adobe had even considered deploying a patch.

On the other hand, PGP isn't exactly known for being a user-friendly system, and the process of intercepting and decrypting messages would be difficult to do before the keys are changed.

While very embarrassing for Adobe, the likelihood this will lead to any sort of catastrophic incident is fairly low, especially if the key is only being used for email. Still, it's rather clumsy. We're all only human after all. ?

Updated to add on September 25

A apokesperson for the Photoshop giant has been in touch to say:

Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.


Biting the hand that feeds IT ? 1998–2017

  • 1015111305 2018-02-19
  • 6607141304 2018-02-19
  • 5587621303 2018-02-19
  • 6265761302 2018-02-19
  • 6666351301 2018-02-19
  • 3788381300 2018-02-19
  • 9596221299 2018-02-19
  • 1153531298 2018-02-19
  • 8253311297 2018-02-19
  • 1614291296 2018-02-19
  • 107351295 2018-02-18
  • 9487041294 2018-02-18
  • 7763841293 2018-02-18
  • 5836761292 2018-02-18
  • 615581291 2018-02-18
  • 5081161290 2018-02-18
  • 321961289 2018-02-18
  • 776731288 2018-02-18
  • 9075261287 2018-02-18
  • 3005511286 2018-02-18