Qihoo 360’s AI Installer Exposes Critical SSL Private Key
In a significant security oversight, Qihoo 360, China’s leading cybersecurity firm, inadvertently included its wildcard SSL private key within the public installer of its newly launched AI assistant, 360Qihoo (Security Claw). This discovery, made on March 16, 2026, raises serious concerns about the company’s operational security practices.
Discovery of the Exposure
Security Claw, built upon the OpenClaw browser framework, is hosted at `https://myclaw.360.cn:19798`. Upon downloading and inspecting the installer, security researcher Lukasz Olejnik found the live, production-grade wildcard TLS private key unprotected within the package at `/path/to/namiclaw/components/Openclaw/openclaw.7z/credentials`.
Implications of the Leak
The exposed certificate, issued by WoTrus CA Limited, is valid for all subdomains under `myclaw.360.cn` from March 12, 2026, to April 12, 2027. Possession of this private key enables attackers to:
– Intercept Communications: Decrypt all traffic between users and 360’s AI servers.
– Impersonate Servers: Set up fraudulent `myclaw.360.cn` endpoints that appear legitimate.
– Harvest Credentials: Create convincing login pages to capture user information.
– Hijack AI Sessions: Intercept or manipulate queries sent to the AI backend.
The wildcard nature of the certificate means the entire `myclaw.360.cn` infrastructure was compromised upon the installer’s release.
Response and Industry Impact
Following public disclosure, the certificate was reportedly revoked. However, due to OCSP (Online Certificate Status Protocol) caching, some clients may still recognize the certificate as valid, delaying the effectiveness of the revocation.
This incident is particularly embarrassing for Qihoo 360, especially after the founder’s public assurance that Security Claw would never leak passwords. The exposure of the private key before the product’s official launch undermines this promise.
With a valuation of $10 billion and a reputation built over two decades, Qihoo 360’s failure to secure its software development process is a stark reminder of the importance of rigorous security protocols.
