Qihoo 360 SSL Key Leak: AI Tool Installer Exposes Security Risk

San Francisco, CA – A significant security lapse has been discovered at Qihoo 360, one of China’s largest cybersecurity companies, potentially exposing millions of users to risk. The company inadvertently shipped the private SSL key for one of its domains within the public installer for its new AI product, 360 Security Claw. This critical error could allow malicious actors to compromise the company’s infrastructure and intercept secure communications. The incident highlights the growing challenges of securing the software supply chain, particularly as artificial intelligence tools grow more integrated into cybersecurity products.

The exposed key, a wildcard SSL certificate valid until April 2027, covers every subdomain on myclaw.360.cn. Security researchers quickly identified the vulnerability after the release of 360 Security Claw, an AI assistant designed to manage the “OpenClaw” AI agent. The certificate was issued by WoTrus CA Limited, a subsidiary of Qihoo 360 itself, adding another layer of concern given WoTrus’s history. WoTrus is the rebranded WoSign, a certificate authority previously distrusted by major browsers like Chrome, Firefox, and Safari in 2016 for backdating SHA-1 certificates. Details of the leak first surfaced on Reddit, prompting widespread discussion within the cybersecurity community.

What is an SSL Key and Why Does This Matter?

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols that encrypt communication between a web server and a browser, ensuring data transmitted remains private and secure. An SSL certificate verifies the identity of a website and enables this encrypted connection. The private key is a crucial component of this system; it’s used to decrypt data encrypted with the corresponding public key. If a private key falls into the wrong hands, attackers can decrypt sensitive information, impersonate the website, and potentially launch man-in-the-middle attacks.

“The exposure of a private SSL key is a severe security incident,” explains security analyst James Bird, who published a detailed write-up on the incident. Bird’s analysis confirms the authenticity of the leaked key, noting a matching MD5 fingerprint. The key was reportedly found within the installer package at /namiclaw/components/OpenClaw/openclaw.7z/credentials. The potential impact is significant, as the compromised certificate could be used to intercept communications to and from any subdomain of myclaw.360.cn.

Qihoo 360’s Response (or Lack Thereof)

As of Wednesday, March 18, 2026, Qihoo 360 has not issued a public statement regarding the leaked SSL key. This silence has drawn criticism from security experts, who emphasize the importance of transparency and swift action in such situations. The company’s lack of communication is particularly concerning given a recent promise from CEO Zhou Hongyi, made just six days prior to the discovery, that the 360 Security Claw product “would not leak passwords or other private information.”

The incident raises questions about Qihoo 360’s internal security practices and quality control measures. Shipping a private key in a public installer suggests a significant failure in the company’s development and release processes. The fact that the certificate was issued by a subsidiary with a history of security issues – WoSign – further compounds the problem. WoSign faced widespread distrust in 2016 after being found to have backdated certificates, a practice that undermines the trust inherent in the SSL/TLS system.

The Broader Implications for AI-Powered Security

This incident arrives at a time when artificial intelligence is increasingly being integrated into cybersecurity solutions. Even as AI offers the potential to enhance threat detection and response, it similarly introduces new attack vectors and complexities. The 360 Security Claw product itself was designed to address the challenges posed by “OpenClaw,” a viral AI agent. Although, the security flaw in the installer ironically undermines the very security principles the product aims to uphold.

The leak underscores the need for robust security practices throughout the entire software development lifecycle, especially when dealing with sensitive cryptographic keys. Companies developing AI-powered security tools must prioritize secure coding practices, rigorous testing, and comprehensive vulnerability management. The incident also highlights the importance of supply chain security, as vulnerabilities in third-party components or subsidiaries can have far-reaching consequences.

What is OpenClaw?

OpenClaw is an AI agent that gained traction recently for its ability to autonomously perform tasks online. While offering potential benefits, its unrestricted nature also raised concerns about its potential for misuse. Qihoo 360’s 360 Security Claw was positioned as a tool to control and manage these types of AI agents, but the security flaw in its distribution casts a shadow over its effectiveness. Social media posts indicate the incident is being referred to as a potential attempt to deflect blame, with some suggesting “OpenClaw did it” as a possible excuse.

What Should Users Do?

While Qihoo 360 has not yet issued specific guidance, security experts recommend that users who have installed 360 Security Claw should consider it potentially compromised. It’s advisable to revoke any credentials or sensitive information that may have been entered while using the application. Users should also monitor their accounts for any signs of unauthorized activity. It’s crucial to ensure that all software is kept up to date with the latest security patches to mitigate potential vulnerabilities.

The incident serves as a stark reminder of the ever-present threat landscape and the importance of vigilance. Even companies specializing in cybersecurity are not immune to security breaches, and users must take proactive steps to protect themselves. The lack of immediate response from Qihoo 360 is particularly troubling, and the company’s actions in the coming days will be critical in determining the extent of the damage and restoring user trust.

Key Takeaways

  • Qihoo 360 accidentally leaked a private SSL key within the installer for its 360 Security Claw AI assistant.
  • The compromised key could allow attackers to intercept secure communications and compromise the company’s infrastructure.
  • The certificate was issued by WoTrus CA Limited, a subsidiary of Qihoo 360 with a history of security issues.
  • Qihoo 360 has not yet issued a public statement regarding the incident.
  • The incident highlights the growing security challenges associated with AI-powered security tools and the software supply chain.

The situation remains fluid, and further investigation is needed to fully assess the impact of the leaked SSL key. World Today Journal will continue to monitor developments and provide updates as they become available. Users are encouraged to share their experiences and concerns in the comments below.

Leave a Comment