In the security circle, "experienced drivers" occasionally also fall into pitfalls. Recently, 360 Company's new AI product "360 Security Lobster" was exposed to have serious basic security oversights, triggering widespread doubts in the industry about the AI product release process.

According to the information, the incident originated from the fact that the product installation package of 360 Security Lobster was found to directly include SSL private keys and certificates for the wildcard domain *.myclaw.360.cn. This practice is equivalent to leaving your "universal key" in a public place. Once an attacker obtains the private key, they can theoretically forge a server, launch a man-in-the-middle attack, or intercept user traffic.

In response to this controversy, 360 Company quickly responded, stating that the issue was caused by a low-level mistake in the release process, which led to the internal domain's website certificate being accidentally included in the installation package.

To minimize the damage, 360 has taken the following emergency measures:

Immediate revocation: The involved certificate has been revoked and is now completely invalid.

Risk assessment: The official stated that ordinary users are currently not affected, and the possibility of using the private key to forge a server has been technically blocked.

As a leading company in domestic cybersecurity, 360 falling into a trap regarding the security of its own AI product undoubtedly serves as a warning to the entire AI industry. In the current context of dense releases of large models and intelligent agents, how to ensure that automated checks in the release process are not just formalities will become an urgent area for companies to improve.