Tech

Adobe accidentally releases private PGP key

The firm's security team failed in a spectacular fashion.

Written by Charlie Osborne, Contributing Writer Sept. 25, 2017 at 1:35 a.m. PT

Adobe has earned mockery after accidentally posting its private PGP key on the firm's official security blog.

Last week, Adobe's product security incident response team (PSIRT) accidentally published the private PGP key on the PSIRT blog on Friday, a lesson in what you should never reveal unless you want others to impersonate you.

While it was quickly revoked, this did not stop sharp-eyed visitors from quickly working out what was amiss and taking screenshots of the spectacular failure.

An archived version of the post is available via Google Cache, clearly showing both the public and private PGP keys generated by the company.

Security

Pretty Good Privacy (PGP) is a system which, through OpenPGP, allows users to send encrypted messages over the Internet, adding an additional layer of privacy and security to communication. This system is often used for private email exchanges, and while you encrypt using a public key, messages are then decrypted using private keys.

If you release the private key to the universe, then the entire system collapses.

As Adobe released its private key by accident, messages sent for the firm's eyes only could then be decrypted by anyone.

This, no doubt, PSIRT is well aware of, as the blog post was quickly pulled and the key was revoked, but this is still a moment that must have caused some serious embarrassment.

As noted by one researcher, an export error may have caused the issue, but a simple check before clicking the publish button could have prevented the unfortunate incident.

"Fortunately, as far as we can see, Adobe's (now-revoked) private key was itself encrypted with a passphrase, meaning that it can't be used without a secret unlock code of its own, but private keys aren't supposed to be revealed even if they are stored in encrypted form," noted Sophos security researcher Paul Ducklin. "If you let your PGP/GPG private key slip, your leak cuts both ways, potentially affecting both you and the other person in the communication, for messages in either direction."