Vulnerabilities - Qihoo 360 Exposes Wildcard SSL Private Key
Basically, Qihoo 360 accidentally shared a secret key that protects user data, making it vulnerable to hackers.
Qihoo 360 has leaked its wildcard SSL private key in a public installer. This exposes users to serious security risks, including data interception and impersonation. The company is taking steps to mitigate the fallout.
The Flaw
On March 16, 2026, Qihoo 360, China's largest cybersecurity firm, made a significant operational security blunder. The company bundled its wildcard SSL private key within the public installer of its newly launched AI assistant, 360Qihoo (also known as Security Claw). This key, which is crucial for establishing secure connections, was found unprotected in the installer package. Researchers discovered it while inspecting the directory structure of the software.
The wildcard SSL certificate, issued by WoTrus CA Limited, is valid for all subdomains under the myclaw.360.cn domain. The exposure of this key poses serious risks, as it allows potential attackers to perform high-impact actions, such as intercepting user traffic and impersonating legitimate servers.
What's at Risk
The implications of this leak are extensive. With possession of the wildcard SSL private key, an attacker could execute a Man-in-the-Middle (MitM) attack, decrypting all traffic between users and the AI servers. They could also create a fake endpoint that browsers would trust, leading to credential harvesting through convincing login pages. Furthermore, attackers could hijack AI sessions, manipulating queries sent to the backend.
The entire infrastructure of myclaw.360.cn was theoretically compromised the moment the installer was made public. This extensive breach highlights the critical importance of secure software development practices, particularly for a firm trusted by over 461 million users.
Patch Status
Following the public disclosure of the leak, Qihoo 360 took immediate action to revoke the compromised certificate. However, the revocation process is not instantaneous. Due to the behavior of Online Certificate Status Protocol (OCSP) caching, some clients may still receive a valid status response from cached lookups. This means that even after revocation, the risk persists until all caches are updated.
The timing of this incident is particularly embarrassing for Qihoo 360. The company's founder had publicly assured users that Security Claw would never leak passwords, a promise that was broken before the product's launch day ended.
Immediate Actions
For users of Qihoo 360's products, it is crucial to remain vigilant. Here are some steps you can take:
- Change passwords: If you have used the AI assistant, consider changing your passwords for any accounts accessed through it.
- Monitor accounts: Keep an eye on your accounts for any suspicious activity.
- Stay updated: Follow Qihoo 360's communications for updates on the situation and any further security measures they may implement.
This incident serves as a stark reminder of the importance of operational security. Companies must prioritize secure coding practices to protect user data and maintain trust.