Qihoo 360 leaks critical SSL private key in new AI assistant installer
China’s largest cybersecurity firm accidentally exposed the digital master key for its new AI platform. The company shipped a valid wildcard SSL certificate directly inside a public download package.
In a massive security failure, Qihoo 360 leaked a wildcard SSL private key for its new 360 Security Claw AI assistant. The cybersecurity company inadvertently embedded the credentials directly into the public software installer.
Key Takeaways:
- The exposure: The leaked private key secures the wildcard domain for the entire AI platform. The certificate is issued by WoTrus CA and remains valid until April 2027.
- The error: Developers left the key sitting inside an uncompressed archive file within the installer directory. Anyone who downloads the software package can extract the credentials using standard tools like OpenSSL.
- The impact: Malicious actors can use this key to impersonate official Qihoo 360 servers. Attackers can intercept sensitive user traffic and craft perfectly legitimate-looking phishing pages.
- The irony: The founder publicly promised the new AI assistant would never leak passwords during the product launch. The company then shipped the master key to its own backend infrastructure to every single user who downloaded the app.
The Bottom Line: Possessing this leaked private key allows any attacker to intercept, decrypt, and manipulate all user traffic on the 360 Security Claw platform.
If you need on-demand GPUs for training, fine-tuning, inference, or running open-source models, give RunPod a try.
- Available hardware: H100, H200, A100, L40S, RTX 4090, RTX 5090, and 30+ more
- Cost: significantly cheaper than AWS or GCP, billed per second, no contracts
- Setup: spins up in under a minute, 30+ regions worldwide
Get the core business tech news delivered straight to your inbox. We track AI, automation, SaaS, and cybersecurity so you don't have to.
Just read what you want, and be done with it.
