Trustaira Blog

A security analyst has unveiled security flaws in the third-party API used by Symantec certificate partners. This Symantec API flaw can allow the attackers to retrieve SSL certificates including private keys.

API flaw exposed Symantec SSL certificates & keys

Symantec SSL Certificates & Keys can be Stolen via API

The Symantec API flaw was first found by Chris Byrne, a data security specialist and instructor for Cloud Harmonics. He discussed the details in his Facebook post.


Symantec API flaw exposes SSL certificates and keys

It could permit an unauthenticated hacker to access other people’s SSL certificates, including public and private keys, and also to reissue or disavow those certificates. Attackers even can do direct “man-in-the-middle” attack over secure connections using the stolen certificates and deceive the customers by making them belief that they are on a trusted site.


” All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert,” Byrne wrote in a Facebook post.


The security researcher  says that tech-savvy customers would have easily figured out that they could modify one of the parameters in the email links and access details or perform actions on other SSL  accounts.


Because the API server did not have any authentication mechanism for accessing certificate information, an attacker could have very easily automated attacks and scraped information on Symantec customers, identifying high-value targets.


Symantec knew about this API Flaw Since 2015

Byrne said he initially found the issues encompassing Symantec authentications in 2015 and consented to “limited non-disclosure,” as Symantec said the organization would take almost two years to settle the issues.


“Symantec focused on finding and supplanting the majority of the certificates which may have been affected, and afterward supplant them… that they would do as such inside six months for each cert they could distinguish, and inside two years for each cert period,” Byrne said.


The specialist did not uncover any subtle elements to public until a month ago when Google publicly revealed its arragements to continuously doubt Symantec-issued certificates inside Google Chrome subsequent to finding a few issues with the organization and four of its outsider cert affiliates.


“Given Google’s involvement and activities here, it creates the impression that Symantec did not settle these issues as they focused on,” Byrne said.


In any case, Byrne was not ready to confirm that the weakness he found were the very same issue Google engineers uncovered a month ago.


As indicated by Byrne, the certificate request and API interface Symantec gives to its outsider affiliates acknowledge URI-based UIDs “without appropriate confirmation, or sometimes, any validation whatsoever.”


As a result, this would have permitted the malicious attacker to get to data on other Symantec clients, distinguishing high-esteem targets, and perform automated attacks.


Getting Full Control Over Another Client’s SSL Certificates

By using this Symantec API flaw,  an attacker can easily gain full control over another clients’ certificates, private & public keys and reissue/revoke them.

Though no proof is shown yet which demonstrate this situation, Byrne’s claim is strong enough to consider it as a real threat for Symantec users.


“It would then be inconsequential to trade off DNS for a specific association or individual they needed to assault. By then, they could claim to be that individual’s bank, their their credit card company, their employer, anybody,” Byrne included.


“Maybe the most noticeably awful bargain is satire a fix and refresh server, for a whole organization. At that point each and every machine at that organization could be bargained all the while.”


As indicated by the analyst, Symantec has since settled a portion of the issues, yet not all.  Symantec has not yet reacted to the Byrne’s revelation, however the organization has as of late distributed two blog entries blaming Google for “overstated and misdirecting” claims the internet searcher made a month ago in regards to its CAs.


UPDATE: Symantec’s Reaction

Symantec has responded to this API flaw news and provided the following statement:


“We have looked into Chris Byrne’s research claim and could not recreate the problem. We would welcome the proof of concept from the original research in 2015 as well as the most recent research. In addition, we are unaware of any real-world scenario of harm or evidence of the problem. However, we can confirm that no private keys were accessed, as that is not technically feasible.”


“We welcome any feedback that helps improve security for the community. Anyone who would like to share further details about real-world scenarios or proof of concept should contact us here.”


Stay with us for the latest security updates..