With the private key in the wild it would be possible to create and sign an extension which appeared to be from Yahoo!; Cubrilovic demonstrated this by creating “yahoo-spoof“, a lightly modified version of the extension, signed with the private certificate. According to Cubrilovic, there was no password associated with the certificate, which allowed this signing to take place, and the build script was also included in the extension.
It would have been possible, if DNS was appropriately compromised, to have updated a legitimate Axis extension with a correctly signed but malicious version. Given how new Axis is, this would have been unlikely, but leaving a private certificate in the distributed extension does raise questions over how through and secure Yahoo’s release process is. A member of the Axis team, Ethan Batraski, commented on various sites that Yahoo! had pulled down the Chrome extension and blacklisted the exposed certificate. The company has since released an updated version of the Chrome extension signed with a new private certificate.