Flaws in the API used by Symantec partners would have allowed an attacker to retrieve certificates, including private keys, security researcher Chris Byrne said in a Facebook post published over the weekend.
The researcher said he discovered this issue two years ago, in 2015, and agreed to a process called "limited non-disclosure," as Symantec said it would take at least two years to fix the issues, during which they asked Byrne to not disclose any details to the public.
"I agreed to limited non-disclosure of the issue, unless I felt it was critically necessary, or it would be unethical or irresponsible for me not to disclose," said Byrne, "for example, if there were a threat to national security, or I discovered a compromise of a client, or any actual criminal compromise arising from it, etc.."
According to Byrne's Facebook post, a flaw in the Symantec API used by Symantec certificate resellers allowed unauthenticated access to other persons' certificate details.
"All you had to do was click a link sent in [an] email, and you could retrieve a cert, revoke a cert, and re-issue a cert," Byrne wrote.
The researcher says that tech-savvy customers would have easily figured out that they could modify one of the parameters in the email links and access details or perform actions on other accounts.
Because the API server didn't authenticate users before accessing certificate information, an attacker could have very easily automated attacks and scraped information on Symantec customers, identifying high-value targets.
Using the same API flaws, an attacker could have retrieved certificates, which he could have used to launch MitM attacks, intercepting customer traffic for online stores, or sending fake updates from software servers, just to list of few of the possible attacks.
On top of customers who bought Symantec certificates from third-parties, Byrne says clients who got their certs directly from Symantec were exposed as well, albeit not through the API, but some other part of the Symantec client interface.
"Even with first party purchase, for some time in some web interfaces, it was possible for properly authenticated users to edit a URL, and retrieve the certs (including private keys) of other authenticated users," the researcher added.
Byrne says Symantec promised that in six months they would find and replace any certificates managed through the vulnerable interfaces, which might have been impacted by these security lapses.
Further, Byrne says Symantec also promised that in two years, they would replace all their certificates, just to make sure no customer was exposed.
Byrne told several fellow researchers and infosec journalists about his findings after his cancer recurred in late 2015. Before focusing on his health, Byrne said he tested Symantec's infrastructure a few months after his initial report, and he says the company did fix some issues, but not all.
The researcher said he didn't test Symantec's infrastructure as of late. His decision to go public with his findings comes after Google announced a plan to gradually distrust Symantec certificates inside Google Chrome after they've found several problems with Symantec and four of its third-party resellers.
Byrne wasn't able to verify that the issues he found were the same ones Google engineers found. Regardless if they're the same issue or not, Symantec is going through a bad stretch at the moment.
"I would be extremely wary of any site with a Symantec cert issued before late 2016, and take some extra caution regarding any Symantec cert period," Byrne concluded his Facebook post.
Symantec did not respond to a request for comment from Bleeping Computer in time for this article's publication. On the other hand, Symantec had previously published two blog posts [1, 2] accusing Google of misleading and exaggerated claims regarding its CA business. Google's decision to distrust Symantec certs is only a proposal at this stage, so Symantec still hopes to convince Google to drop its plan.
UPDATE [March 28, 2017]: Symantec has provided the following statement following Byrne's Facebook post: