Adobe's Product Security Team Accidentally Posted Its Private PGP Encryption Key to Its Blog

By Tom McKay on at

The past few weeks have been a nightmare for data breaches, so good news: Here’s another easily preventable security problem. Adobe’s Product Security Incident Response Team (PSIRT) accidentally posted the private PGP encryption key—necessary to decrypt encoded messages transmitted to them using their public PGP key—associated with their psirt@adobe.com email account this week, Ars Technica reported.

The mistake was first noticed on Friday afternoon by security researcher Juho Nurminen, who posted it to Twitter with the caption “Oh shit Adobe.”

PGP, which stands for Pretty Good Privacy, is a method for sending encrypted messages with close to government-grade security. PGP users receive two keys: a public PGP key tied to an email address or username, which encrypts incoming messages, and a private key which should be known only to the recipient used to decrypt said messages.

Just knowing the private PGP key would not in and of itself allow a malicious user to breach Adobe’s associated email account, which would have its own layers of security. But as the Register noted, the leak of the key could cause other problems for Adobe, since the email address was used to report critical security flaws with their products:

Armed with the private key, an attacker could spoof PGP-signed messages as coming from Adobe. Additionally, someone (cough, cough the NSA) with the ability to intercept emails—such as those detailing exploitable Flash security vulnerability reports intended for Adobe’s eyes only—could use the exposed key to decrypt messages that could contain things like, say, zero-day vulnerability disclosures

According to Ars Technica, the mistake appeared to emerge when an Adobe staffer posted a text file containing the public PGP key using Mailvelope, a common browser extension. They then forgot to trim the section of the exported text file containing the private key.

The PGP system is not exactly user-friendly—it’s frankly pretty cumbersome—but this is still a relatively major mistake. The original post has since been deleted and replaced with a new key, so hopefully no damage was done in the brief period of time it was live on the site. Certainly the recent weeks have seen much, much worse problems with digital security than this little incident, so we should probably cut Adobe a break on this one. [Ars Technica, The Register]