China’s leading cybersecurity company, Qihoo 360, has encountered a significant security lapse by inadvertently embedding its wildcard SSL private key within the installer of its latest AI assistant, 360Qihoo, also known as Security Claw. This critical error was identified on March 16, 2026, and underscores an operational security misstep by a firm entrusted by over 461 million users worldwide.
Discovery of the Security Breach
Security Claw, which is built on the OpenClaw browser framework, contained this vulnerability within its installation package. Lukasz Olejnik, who scrutinized the installer, discovered the unprotected private key nestled in the directory structure. This key, located at /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials, was found to be a live, production-grade wildcard TLS private key.
The certificate associated with this key was issued by WoTrus CA Limited and applied to all subdomains under myclaw[.]360[.]cn. Verifications showed that the certificate and its key matched, confirming their cryptographic relationship. The certificate’s validity spanned from March 12, 2026, to April 12, 2027.
Implications of the Leak
The exposure of an SSL/TLS private key is a severe security threat, potentially enabling various high-stakes attacks. These include man-in-the-middle attacks, server impersonation, credential harvesting, and AI session hijacking, which could affect the entire infrastructure under the myclaw[.]360[.]cn domain. The ramifications of such a compromise are vast, as the key’s coverage extended across all related subdomains.
Despite the certificate’s reported revocation following its public reveal, the OCSP caching behavior might lead some clients to still receive a valid status due to cached responses. This means that the revocation’s effectiveness is neither immediate nor absolute.
Reputation and Industry Impact
This incident is particularly damaging given the timing. Qihoo 360’s founder had recently assured the public of the platform’s security robustness, promising no password leaks. Unfortunately, this assurance was compromised on the very first day of the product’s launch. Qihoo 360, a company valued at $10 billion with a strong security-centric reputation, now faces scrutiny over its secure software development practices.
Such a fundamental security oversight is a stark reminder of the industry’s need for rigorous security protocols. Organizations like Qihoo 360 often warn clients against such lapses, making this incident a significant setback in maintaining consumer trust. For ongoing updates on cybersecurity, follow us on Google News, LinkedIn, and X. Contact us for more insights and stories.
