Adobe accidentally blogged its PGP secret key

Adobe accidentally posted its public and private PGP keys to the Incident Response Team (PSIRT) blog . Usually, only the public key is published on this page - it is needed to confirm the authenticity of letters from PSIRT. But this time, a private one was also published under the public key, which is used for signing (see screenshot).

The first fakap was noticed on September 22, 2017 by security specialist Juho Nurminen.


Most likely, the incident was caused by the fact that a certain employee of the company did not understand the difference between public and private keys - and published both. Probably , the employee, when exporting the key to a text file through the browser extension Mailvelope , slightly confused the buttons and pressed All instead of Public.


Needless to say, what threatens the publication of the private key. Anyone on the Internet can send encrypted letters, signing with an authentic Adobe signature (you still need a password). In addition, anyone can decrypt the encrypted messages sent by Adobe - and they can contain information about 0day vulnerabilities in its products. In principle, now you can decrypt old encrypted letters sent before September 22. Of course, for this you need to have access to the letters themselves.

The likelihood of new exploits for Adobe products in connection with this incident is low. He just says that some employees need to listen to a lecture on cryptography.

At this point, the Adobe Incident Response Team has generated a new key pair and uploaded a new public key.