The Product Security Incident Response Team (PSIRT) of Adobe accidentally posted their private PGP key on their blog.
The Product Security Incident Response Team (PSIRT) of Adobe accidentally posted their private PGP key on their blog.Pretty Good Privacy (PGP) is an encryption program used to send information securely over the internet. The data is encrypted using a public key which can be shared with anyone who wants to communicate with them and decrypted using a private key which should be kept secret.Last Friday, Adobe PSIRT team updated their public key which is valid up to September 2018 but accidentally one their team member published the private key along with the public key.
When a user wants to export key they can do it by either clicking export public key or private key or by clicking ‘All’ option which exports the both keys.Here the Adobe employee who is responsible for the mistake would have likely clicked the ‘All’ option and published the data without noticing it contain private key also.Now by accidentally posting the private key allows anyone to decrypt the emails which only company should have been able to do.The mistake was noticed first by a Finland based security researcher Juho Nurminen and was confirmed that the key was associated with Adobe’s PSIRT email account.PSIRT quickly noticed their mistake and the public key was replaced with a new one key. The archived versions and screenshots of the post are still available online.Paul Ducklin, a security researcher at Sophos wrote in a blog post that “Fortunately, as far as we can see, Adobe's (now-revoked) private key was itself encrypted with a passphrase, meaning that it can't be used without a secret unlock code of its own, but private keys aren't supposed to be revealed even if they are stored in encrypted form,"