Adobe's security team publishes private encryption key

Adobe's security team has been criticised for a serious operational gaffe over the weekend when it became known the group had published a private encryption key, rather than the public half, on its official security blog.

When the words 'Adobe' and 'security' occur in the same sentence, the news isn't usually good: The company's popular Flash Player software, now heading into its long-overdue retirement, is the source of at least one critical-level security vulnerability every single month, and the company's internal servers were the subject of a major security breach in 2013 for which the company was fined £800,000.

Continuing an apparent trend of something less than excellence, Adobe's Product Security Incident Team made a serious mistake this weekend when the private half of a Pretty Good Privacy (PGP) cryptographic key was published to the company's official blog, rather than the public half. To explain: PGP keys operate though public-key cryptography, in which a public key is known by all and can be used to encrypt information for the owner's sole attention while a paired private key is used to decrypt information encrypted with the public key and also to sign messages and data as having genuinely originated from the key owner and having not been modified in transit.

Spotted by security researcher Juho Nurminen and publicised via Twitter, the Adobe private key published on a publicly available website would allow anyone to act as Adobe's security team - including signing malicious files as being legitimate, signing phishing messages, and decrypting information meant for Adobe's eyes only. In minor mitigation, Nurminen found the key was relatively new - just four days old - and was quickly revoked by Adobe, meaning it is no longer available from public PGP key servers. While data already encrypted with the key can still be decrypted by anyone who snagged a copy while it was available, the revocation means that nobody should be fooled into believing messages or files signed with the leaked key are legitimately from Adobe.

Although Adobe was quick to take action regarding the key's publication, the company has not yet issued a statement on how the private half was published in the first place - though simple human error is the overwhelmingly likeliest explanation.