Yahoo extended its search offerings with the launch of its Axis search "experience," an HTML5-based mobile browser app designed to return search results as page previews rather than listing links.
Yahoo's Axis mobile browser comes in the form of an iOS app and plug-ins for Chrome, Firefox, Safari, and Internet Explorer, while an Android version is in the works. According to the company, Axis aims to speed up the search process by doing it all on the same page.
Shortening the Search Process
Ethan Batraski, Yahoo's director of product management for special products, noted that Axis enables users to get faster from an initial query to the desired result, shortening the search process by about a third. While most search interfaces use a three-step process - query, result page, and the selected result - Axis aims to reduce the process to just two steps, added Batraski.
"That's an archaic experience. It's been the same for 12 to 15 years. We decided to get rid of the middle step, because nobody really likes the middle man," said Batraski, as cited by ComputerWorld. "Our search strategy is predicated on two core beliefs - one, that people want answers, not links and two, that consumer-facing search is ripe for innovative disruption," Yahoo's Shashi Seth further explained.
Axis Functions
The Axis app has dual function - browser and search engine. Browsing functions include navigational arrows, address bar and bookmarking. Search queries return visual page previews instead of links, across the top of the screen. In order to display lower-ranking results without having to reload the page, users can simply swipe left. Meanwhile, swiping downward after selecting a given result will allow users to get the search results back at the top of the screen, without having to leave the selected Web page.
Logging in with Yahoo, Google or Facebook credentials will allow users to save searches across various devices. A menu option enables sharing via email, Twitter and Pinterest, while Facebook sharing will be available in the future, Batraski said.
Major Blunder
When it comes to the Axis extension for Chrome, however, Yahoo did a major boo-boo - it accidentally leaked its private security key. Tech blogger Nik Cubrilovic discovered the certificate blunder and revealed the issue on his blog, advising users to refrain from installing the extension "until the issue is clarified."
Upon a closer look into the extension's source code, Cubrilovic found the private security certificate, which Yahoo uses to sign the application in order to prove it is real and unaltered. According to the blogger, this mishap could result in malicious extensions that Google's Web browser would verify as coming from Yahoo.
Risks
"The certificate file is used by Yahoo! to sign the extension package, which is used by Chrome and the webstore to authenticate that the package comes from Yahoo! With access to the private certificate file a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo!" Cubrilovic explained. "The clearest implication is that with the private certificate file and a fake extension you can create a spoofed package that captures all web traffic, including passwords, session cookies, etc. The easiest way to get this installed onto a victim's machine would be to DNS spoof the update URL. The next time the extension attempts to update it will silently install and run the spoofed extension." Cubrilovic also created a proof-of-concept of a spoof attack and provided instructions on how to remove the risky extension.
Problem Solved
Yahoo apologized for the incident and replaced the Web search extension with a new version that does not include its private security certificate. Axis is launching with keyword and searches only, and its search results don't include advertisements yet. Yahoo's Axis app is currently available for Apple's iPhone and iPad, with an Android app set to launch "soon," according to Batraski.
