Opera code-signing certificate abused in failed breach

Opera code-signing certificate abused in failed breach

Summary: Opera has managed to detect and stop an attack on its internal systems, but not before potentially a few thousand Windows users were put in harm's way.

SHARE:

Opera Software has opened up about a breach it experienced last week that it believes it was able to successfully stop.

Posting on its security blog, the company admitted that on June 19, it discovered an attack on its internal network infrastructure. Although stating that the breach was stopped, the company said that its attackers were able to steal at least one old code-signing certificate, and that this was used to sign malware.

"This has allowed them to distribute malicious software, which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser."

Despite the certificates being old and expired, Opera Software said it is possible that "a few thousand Windows users" could have received and installed malicious software in the 36-minute window that the attack was in effect.

The company is now planning to roll out a new version of its software, which will use a new code-signing certificate.

As for the rest of its systems, it doesn't believe that any user data was compromised, but it is still working with authorities to determine the full extent of the breach.

A similar breach occurred on Adobe's internal infrastructure in September last year, where, over a two-month period, attackers were able to create two malicious files that could masquerade as legitimate Adobe software. The company has since created a new CSO role, and placed its product security head Brad Arkin in it, with specific responsibility for its internal systems.

Topics: Security, Malware, Web development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion