Security product leaks instead: 360 Security Lobster packs the private key of the HTTPS wildcard certificate into the local directory

CoinNetwork · 2026-03-16T15:14:26+00:00

Recently, 360's security product "Security Lobster" was exposed to have wildcard domain certificates and private keys directly packaged in the installation directory, posing security risks that could allow third parties to forge HTTPS connections; the 360 SRC team has confirmed and is addressing this issue.

CoinNetwork

2026-03-16 15:14:26

Abstract generation in progress

According to CoinWorld, based on monitoring by 1M AI News, 360 recently released a security product called “Security Lobster,” which was found to have packaged the wildcard domain certificate for *.myclaw.360.cn and its corresponding private key directly into the local installation directory. The interface of Security Lobster is based on a customized version of the 360 Browser and accessed via a local address. To achieve this local HTTPS connection, engineers included the wildcard certificate and private key in the client. The wildcard certificate covers all subdomains under myclaw.360.cn. If the private key is leaked, third parties could impersonate HTTPS connections for this domain. The certificate has not yet been revoked. 360 SRC team responded, stating this is an internally known issue that is currently being addressed.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

2 Likes