Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer

Home Cyber Security News Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI... China’s largest cybersecurity firm, Qihoo 360, has inadvertently exposed its own wildcard SSL private key by bundling it directly inside the public installer of its newly launched AI assistant, 360Qihoo (Security Claw). The flaw discovered on March 16, 2026, is a textbook operational security failure from a company trusted by over 461 million users to protect their digital lives. Security Claw is a customized wrapper built on top of the OpenClaw browser framework, hosted at https://myclaw.360.cn:19798. Lukasz Olejnik, who downloaded the installer and inspected its directory structure, found a live, production-grade wildcard TLS private key sitting unprotected inside the package at the path /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials. CHINA'S BIGGEST CYBERSECURITY COMPANY APPARENTLY JUST SHIPPED AN AI ASSISTANT WITH ITS OWN SSL PRIVATE KEY SITTING INSIDE THE INSTALLER. QIHOO 360, THINK NORTON OR MCAFEE, BUT DOMINANT ACROSS THE ENTIRE CHINESE MARKET IT APPEARS THAT THEIR NEW AI PRODUCT, 360安全龙虾 (SECURITY… PIC.TWITTER.COM/LSLH4SRO3C — Lukasz Olejnik (@lukOlejnik) March 16, 2026 The certificate, issued by WoTrus CA Limited, carries the Subject CN=*.myclaw.360.cn — a wildcard designation meaning it is cryptographically valid for every subdomain under the myclaw[.]360[.]cn domain. Its validity window runs from March 12, 2026, to April 12, 2027, and the matching RSA private key was confirmed by running OpenSSL modulus checks, which showed identical MD5 hashes for both the certificate and the key, proving they are a matched pair. Private Key Exposed An SSL/TLS private key is the cryptographic foundation of HTTPS. Possession of it allows an adversary to perform several high-impact attacks: Man-in-the-Middle (MitM) interception — silently decrypt all traffic between users and 360’s AI servers. Server impersonation — stand up a fake myclaw[.]360[.]cn endpoint that browsers trust as legitimate. Credential harvesting — serve convincing login pages that capture usernames and passwords. AI session hijacking — intercept or manipulate queries sent to the AI backend entirely. Because the key covers all subdomains, the blast radius is not limited to a single endpoint, the entire myclaw[.]360[.]cn infrastructure was theoretically compromised the moment the installer went public. Following public disclosure, the certificate was reportedly revoked. However, due to OCSP (Online Certificate Status Protocol) caching behavior, some clients may still receive a “valid” status response from cached lookups, meaning revocation is not instantaneous or universal. The timing makes the incident particularly embarrassing. Qihoo 360’s founder publicly promoted Security Claw with a pledge that the platform would “never leak passwords,” a promise the product broke before its launch day was over. With a $10 billion valuation and a security-first brand identity built over two decades, shipping a wildcard private key in a downloadable zip file is a fundamental failure of secure software development practices, the kind organizations routinely warn their own clients to avoid. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader Cyber Security News New ACRStealer Variant Uses Syscall Evasion, TLS C2 and Secondary Payload Delivery Cyber Security News Microsoft Exchange Online Mailbox Access Outage Affects Users Globally Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026