-
Qihoo 360 accidentally included the master key for its new AI assistant in the public installer.
-
The certificate came from WoTrus, the company’s own CA that browsers banned for fraud in 2016.
-
The leak happened just days after the CEO promised the software wouldn’t leak private info.
Qihoo 360, China’s biggest cybersecurity firm, just rolled out a new AI product with its SSL private key inside. We’re talking about the private key that locks down its entire platform. And the company behind the key is the same one browsers kicked out years ago for cheating.
Qihoo 360 Rolled Out Flawed New Product
On March 10, Zhou Hongyi, the founder of Qihoo 360 announced 360 Security Lobster. That’s the company’s new AI assistant that aims to fix the security problems of the popular open-source tool, OpenClaw. He made a clear promise: the software would not “leak passwords or other private information.”
Just six days later, researchers found the company’s promise was already broken. Hidden inside the public installer package was the wildcard SSL private key for .myclaw.360.cn. Think of this key as a master key to every subdomain of the platform. Anyone with it can impersonate the service, intercept user data, or create fake login pages that look perfectly real.
The discovery blew up on a Chinese developer forum. The post’s title said it best: “Hell joke: 360’s Security Lobster bundled its own domain’s private key.”
The Troubled Past of WoTrus CA
Here’s where the story takes a turn. The certificate for that leaked key came from WoTrus CA Limited. It’s worth noting that WoTrus is not some outside company; Qihoo 360 owns it. It’s actually the same company that was operating under the name WoSign before it rebranded sometime in 2017.
People who are familiar with browser security news would have seen this name in articles before now. Back in 2016, big names Google, Apple, Mozilla, and Microsoft all took action against WoSign.
The problem? An investigation revealed that WoSign backdated more than 60 certificates in order to bypass security rules. They had also secretly bought another CA, StartCom, and lied about it. The deception was so bad that all major browsers stopped trusting them.
WoSign rebranded to WoTrus. But the ownership never changed. It’s still Qihoo 360. This basically means that a company with a history of certificate fraud issued a certificate for its parent company’s new AI product. Then, that product’s installer leaked the private key. These paint a picture of security failures.
Qihoo 360’s Pattern of Trust Issues
The recent SSL key leak is not a one-off mistake on Qihoo 360’s part. The company has a track record of similar fumbles. Sometime in 2014, researchers found out that its browser loaded a page under a fake certificate for Apple’s iCloud, while others blocked it.
Then again in 2020, a security firm also uncovered deliberate backdoor features in a children’s smartwatch that Qihoo 360 made. The smartwatch had code names like “WIRETAP_INCOMING.” The US has also placed the company on its Entity List and designated it a “Chinese military company.”
The timing of this latest leak adds insult to injury. On the very same day Zhou announced his secure AI, China’s own cybersecurity agency, CNCERT, issued a warning about OpenClaw’s risks. Zhou positioned his product as the answer. Instead, it introduced a vulnerability arguably worse than anything OpenClaw faced.
For a cybersecurity giant serving 460 million users, shipping a private key in an installer isn’t just a bug. Qihoo 360 failed to notify its users immediately about this flaw, and that’s a serious breach of their security. What they now need to do is to act fast to revoke the compromised SSL certificate ASAP. Then let users know about any potential weakness within the key.
Meanwhile, other organizations like Southwest C.A.R.E. Center are dealing with the aftermath of actual ransomware attacks, where groups like MEDUSA have already leaked patient data, a reminder that when security fails, the consequences are immediate and devastating.
