NBD: Adobe just dumped its private PGP key on the internet
Change the name to A-d'oh!-be
Updated An absent-minded security staffer just accidentally leaked Adobe's private PGP key onto the internet.
The disclosure was spotted by security researcher Juho Nurminen – who found the key on the Photoshop giant's Product Security Incident Response Team blog, ironically. That contact page should have only included the public PGP key.
Oh shit Adobe pic.twitter.com/7rDL3LWVVz— Juho Nurminen (@jupenur) September 22, 2017
Adobe has not returned a request for comment on the matter, possibly because it has slightly more pressing concerns at the moment. Namely, key rotation and internal public-private key education. It has also torn down its private key from the security blog.
It goes without saying that the disclosure of a private security key would, to put it mildly, ruin a few employees' Friday. Armed with the private key, an attacker could spoof PGP-signed messages as coming from Adobe. Additionally, someone (cough, cough the NSA) with the ability to intercept emails – such as those detailing exploitable Flash security vulnerability reports intended for Adobe's eyes only – could use the exposed key to decrypt messages that could contain things like, say, zero-day vulnerability disclosures.
Armed with that info, miscreants could exploit that information to infect victims with malware before Adobe had even considered deploying a patch.
On the other hand, PGP isn't exactly known for being a user-friendly system, and the process of intercepting and decrypting messages would be difficult to do before the keys are changed.
While very embarrassing for Adobe, the likelihood this will lead to any sort of catastrophic incident is fairly low, especially if the key is only being used for email. Still, it's rather clumsy. We're all only human after all. ®
Updated to add on September 25
A apokesperson for the Photoshop giant has been in touch to say:
Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.