Adobe has certainly not been immune to blunders during the course of this year, having accidentally made available its Project Nimbus Preview to Creative Cloud customers back in July with the company remaining tight-lipped regarding announcements of its formal release. Now, it appears that Adobe's internal security team has set foot into the spotlight.
Oh shit Adobe pic.twitter.com/7rDL3LWVVz— Juho Nurminen (@jupenur) September 22, 2017
On Adobe's Product Security Incident Response Team (PSIRT), the group shares its public PGP key to ensure that external parties can securely transmit email messages. However, in addition to the public key, the private PGP for the firstname.lastname@example.org e-mail account was also on full display. While the page containing both keys has since been taken down and replaced by a new page containing a brand new public key.
While the cause of the error is believed not be anything malicious, it has been hypothesized that a member of the PSIRT team may have used the Mailvelope browser extension to export the e-mail account's public key. However, instead of selecting the option to export just the public key, the option to export both the public and private keys was accidentally selected before being published on the blog.
Even though this seems to be a case of human error, the leak of the private key could still be a fairly serious issue. Should parties, including perhaps maybe the NSA, be able to get their hands on e-mails encrypted with the old PGP public key, having a copy of the private key would potentially allow them to discover recently reported but unpatched vulnerabilities in Adobe's software, such as Flash.