Adobe Accidentally Published Its Private PGP Key in a Big Blunder

Last week Adobe accidentally published its private and public PGP keys, in what has quickly been pronounced as one of the silliest yet critical mistakes done by a company of Adobe's size. Alert security researchers were quick to spot Adobe's mishap. The company has since taken down the key from its website and issued a new public key.

The incident happened last week when Adobe's product security incident response team (PSIRT) published the private PGP key in a blog post. Adobe was quick to resolve its mistake, but security researchers worldwide were able to quickly spot what was amiss. Archived version of the original post is still available online.

Pretty Good Privacy, or PGP, is a system that allows encrypted emails to be sent and received over the Internet, with only the concerned party holding the keys to the encryption. By disclosing the private PGP key, Adobe unwittingly allowed anyone to decode their emails and pretend to be from Adobe's incident response team.

Security firm Sophos noted that it was unlikely anyone could have misused their private PGP key. "Fortunately, as far as we can see, Adobe's (now-revoked) private key was itself encrypted with a passphrase, meaning that it can't be used without a secret unlock code of its own, but private keys aren't supposed to be revealed even if they are stored in encrypted form," Paul Ducklin, a security researcher at Sophos wrote in a blog post.

As plenty of people united to make fun of Adobe's mistake, some used the opportunity to explain why the mistake happened and its implications for us all of those who use encrypted emails. "Some blame should go on the email client software or PGP key software that allowed user to 'accidentally' export the wrong key," Otto Kekalainen, CEO of Seravo.com wrote on Twitter. "PGP/GPG tools are not exactly designed by usability experts. For good security, usability matters. How to attract UX designers here?"