The exposure was spotted by security researcher Juho Nurminen who saw the key ion the Photoshop titan Product Security Incident Response Team Website. That communication page should have only added the public PGP key.
Adobe has not answered a request for commentary on the matter, perhaps because it has somewhat more pressing concerns at the moment. Namely, key turn and internal public-private key education. It has also removed its private key from the security blog.
It goes out saying that the declaration of a private security key would, to put it lightly, ruin a few employees’ Friday. Armed with the secret key, an attacker could spoof PGP-signed messages as appearing from Adobe. Additionally, someone with the capacity to intercept emails such as those relating exploitable Flash security vulnerability announcements intended for Adobe’s eyes only – could use the disclosed key to decrypt information that could include things like, say, zero-day vulnerability exposures.
Armed with that info, criminals could use that information to infect users with malware before Adobe had even supposed deploying a patch.
On the other hand, PGP isn’t specifically known for being a user-friendly system, and the method of intercepting and decrypting communications would be difficult to do before the keys are changed.
Take your time to comment on this article.