Hacker compromises Google, Yahoo secure site credentials

The counterfeit secure sockets layer certificates could be used to spoof content, perform phishing attacks or execute man-in-the-middle attacks against Web properties, a Microsoft advisory warned.

Microsoft issued an emergency update for most supported versions of Windows to prevent such fraud.

The advisory “flagged 45 separate URLs that were vulnerable to spoofing by counterfeit certificates that stemmed from a recent hack of an India-based [certificate authority],” Ars reports. “The bogus certificates covered various subdomains for Google, Yahoo, yahoo-inc.com, yahooapis.com, static.com, and gstatic.com.”

Security specialists say it’s still possible that the hackers generated additional tainted certificates covering the same or different domains. 

The fake certificates pose a risk to Windows users accessing SSL-protected sections of Google, Yahoo, and any other affected domains.

“Millions of sites operated by banks, e-commerce companies, and other types of online services use such cryptographic credentials to encrypt data passing over the open Internet and to prove the authenticity of their servers,” according to Ars.