Qihoo 360 shipped a live SSL key
A security researcher reported that China’s Qihoo 360 shipped an AI-assistant installer containing its SSL private key — the key was public and valid through 2027, allowing traffic interception or server impersonation. That’s a textbook supply-chain/credential-management failure — one misplaced key now gives attackers a long-lived way to impersonate services and decrypt traffic.
The installer packaged the private key inside an OpenClaw component archive at /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials, a placement first flagged by independent researcher Lukasz Olejnik. (vpncentral.com) The associated certificate carried the subject CN=*.myclaw.360.cn and had a validity window from March 12, 2026 to April 12, 2027. (cyberwebspider.com) Forensic checks verified the key and certificate formed a valid cryptographic pair, and the certificate was issued by WoTrus CA Limited according to published analyses. (cyberwebspider.com) 360 says it has revoked the certificate and asserted the *.myclaw.360.cn name resolves to 127.0.0.1 for local-only use, describing the inclusion as a release-process error. (kucoin.com) Independent write-ups warned that OCSP/CRL caching can delay revocation effectiveness for some clients, meaning remediation may not have been instantaneous even after the revocation notice. (cyberwebspider.com) The disclosure arrived days after founder Zhou Hongyi publicly pledged the product would “never leak passwords,” and commentators noted Qihoo 360 serves roughly 461 million users with an estimated market valuation near $10 billion. (kucoin.com) OpenClaw — the agent framework tied to the shipped installer — already faces scrutiny for scale and security: reporters cited over 40,000 exposed instances online and at least one high-severity CVE (CVSS 8.8) in the broader ecosystem. (news.cgtn.com)
