Researchers are shocked by the extent of the mistake the company made.
Chinese company Qihoo 360, a major player in the cybersecurity market, found itself at the center of an incident due to its own error. The public installer for its new AI assistant contained a private SSL key used to verify the authenticity of the company's servers.
The issue was discovered by security researcher Lukasz Olejnik. In the installation file for the 360 Security Claw assistant, based on the open-source OpenClaw project, he found an unprotected archive containing a valid SSL certificate for the domain "myclaw.360[.]cn." Simply unpack the installer with any basic tool to extract the key.
The certificate is valid until April 2027 and applies to all platform subdomains. Essentially, it's a master key that allows access to authenticate traffic within the service's infrastructure.
The company's scale exacerbates the situation. Qihoo 360 serves hundreds of millions of users and holds a dominant position in the Chinese cybersecurity market , comparable to Norton or McAfee globally. At the product's launch, the company's founder, Zhou Hongyi, emphasized that the system prevents password leaks.
Leaking such a key into the public domain poses serious risks. Attackers could impersonate the company's servers, intercept user traffic, or deploy phishing pages that browsers will perceive as completely legitimate. The use of genuine certificates has already become a noticeable trend in the cybercriminal community, and such a leak significantly simplifies attacks.
At the time of publication, Qihoo 360 had not commented on the situation or announced the revocation of the compromised certificate, a standard measure taken in the event of such data breaches .
Chinese company Qihoo 360, a major player in the cybersecurity market, found itself at the center of an incident due to its own error. The public installer for its new AI assistant contained a private SSL key used to verify the authenticity of the company's servers.
The issue was discovered by security researcher Lukasz Olejnik. In the installation file for the 360 Security Claw assistant, based on the open-source OpenClaw project, he found an unprotected archive containing a valid SSL certificate for the domain "myclaw.360[.]cn." Simply unpack the installer with any basic tool to extract the key.
The certificate is valid until April 2027 and applies to all platform subdomains. Essentially, it's a master key that allows access to authenticate traffic within the service's infrastructure.
The company's scale exacerbates the situation. Qihoo 360 serves hundreds of millions of users and holds a dominant position in the Chinese cybersecurity market , comparable to Norton or McAfee globally. At the product's launch, the company's founder, Zhou Hongyi, emphasized that the system prevents password leaks.
Leaking such a key into the public domain poses serious risks. Attackers could impersonate the company's servers, intercept user traffic, or deploy phishing pages that browsers will perceive as completely legitimate. The use of genuine certificates has already become a noticeable trend in the cybercriminal community, and such a leak significantly simplifies attacks.
At the time of publication, Qihoo 360 had not commented on the situation or announced the revocation of the compromised certificate, a standard measure taken in the event of such data breaches .
