Adobe’s security team reveals its private PGP key

Quack quack oops.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Adobe's security team reveals its private PGP key

A careless finger fumble can easily put the security of your organisation at risk.

All you need to do is click on the wrong link, open a malicious attachment, enter your password on a dodgy phishing site, or – in the case of Adobe – publish your private PGP key for anyone to see on your security blog.

Yes, you read that right – Adobe’s security team published the private PGP key for its [email protected] email account.

Sign up to our free newsletter.
Security news, advice, and tips.

There aren’t enough face-palming GIFs in the world to express just how much of a goof that is.

It was an accident, of course. One assumes a member of staff was updating the public key used by Adobe’s security team for encrypted communications with the infosecurity community and simply cut-and-paste more than they should have done.

But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe’s security team. Furthermore, the key could have been used to unlock messages sent to Adobe’s security team from researchers who had discovered zero-day vulnerabilities in – say – Flash Player. That’s not the kind of information you want to fall into the hands of a sophisticated hacking group or intelligence agency.

One also has to wonder how long it would have taken for the key to be revoked if security researcher Juho Nurminen had not privately informed Adobe about the problem.

After Adobe hurriedly revoked the PGP key, Juho was safe to publicise his discovery.

https://twitter.com/jupenur/status/911286403434246144/photo/1

Adobe has issued a statement reassuring customers that it doesn’t believe any harm was done.

Adobe is aware of the issue and has revoked the PGP key in question and published a new public and private key. The PGP key in question was used exclusively for email correspondence between external security researchers and the Adobe security team, and there is no impact to Adobe customers.

Well, no harm apart from the damage down to Adobe’s reputation, of course. People will be joking about this finger fumble for years.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Adobe’s security team reveals its private PGP key”

  1. dan

    "Your PGP private key is stored on your disk in encrypted form. In particular, it is encrypted using your passphrase. To decrypt a file, PGP needs (1) your passphrase, and (2) the encrypted private key file; from these it can reconstitute your private key, and then decrypt the file."
    To be clear, what was posted was the private key file, not the decrypted private key.

    "But the consequences could have been serious. An opportunistic hacker could have used the private key to create PGP-signed messages that appeared to really come from Adobe's security team."
    This would also require the passphase to decrypt the private key file

    "Furthermore, the key could have been used to unlock messages sent to Adobe's security team from researchers who had discovered zero-day vulnerabilities"
    This would also require the passphase to decrypt the private key file, along with a copy of the email message send to the security team

    1. Graham CluleyGraham Cluley · in reply to dan

      Quite correct Dan! Yes, the private key would need to be decrypted with the passphrase. Let's hope they chose a strong, hard-to-crack passphrase.

      I think we're all in agreement that publishing a private key is still a very bad idea.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.