360 responds to "Security Lobster" private key leak: caused by a publishing error, certificate has been revoked

On the evening of March 16, in response to the exposure of the private key leak related to its product “360 Security Lobster,” 360 Corporation issued an official statement, clarifying that the involved SSL certificate was revoked immediately. The certificate is now fully invalid, technically blocking attackers from forging servers or hijacking traffic using the private key. Ordinary users are not affected by this incident.

360 explained that the private key leak resulted from operational errors during product release, which caused the internal domain website certificate to be unintentionally included in the public installation package. The company has initiated an internal investigation process and will further optimize security management mechanisms to prevent similar oversights from happening again.

On March 14, 360 Group announced the launch of the “360 Security Lobster” intelligent agent application client and the “360 Security Lobster Box” hardware terminal, along with the release of the dedicated “360 Lobster Guard” to address OpenClaw (Lobster) security issues.

This product is positioned as a one-click deployment tool for OpenClaw intelligent agents. Its core function is to lower the barriers for local deployment of AI agents, providing convenient services for both ordinary and enterprise users.

On the same day, 360 held a special event at its headquarters campus offering free installation of “Lobster,” where founder Zhou Hongyi demonstrated how to install and deploy “360 Security Lobster” for users.

As a native security component of 360 Security Lobster, “360 Lobster Guard” operates within a virtualized sandbox (WSL), isolating the agent’s execution environment from user data. It also uses an AI security engine to identify malicious skills, abnormal commands, and potential vulnerabilities, actively intercepting attacks such as skill poisoning and prompt injection.

Zhou Hongyi emphasized, “Security is always a supporting role. Its mission is to safeguard digital and intelligent development. We won’t over-intercept or disturb users’ normal use, only addressing core security issues.”

However, two days later, on March 16, security researchers discovered that during the extraction of the product’s installation package, a specific path contained plaintext storage of a wildcard SSL certificate and its corresponding RSA private key.

As a core security credential, if the private key is leaked, attackers could theoretically forge HTTPS services for related domains, conduct man-in-the-middle attacks, and steal user data or spread malicious programs.

As a company whose core business is cybersecurity, it was considered a serious security oversight for 360 to accidentally include an internal private key in a public installation package.

OpenClaw (commonly known as “Lobster”) is an open-source framework capable of automating office tasks, system operations, API calls, and more. It has been dubbed the “All-in-One AI Worker” by netizens and has rapidly swept through China’s tech industry since the beginning of this year, recently sparking a nationwide “Lobster Farming” craze.

The industry chain related to OpenClaw has seen a surge in popularity, with Baidu hosting a “Lobster Market” attracting thousands of people queuing to install, Tencent offering free deployment services outside its office building, and Mac mini devices compatible with OpenClaw experiencing nationwide shortages and second-hand market premiums. At the policy level, many local governments have also introduced supportive policies.

However, behind the craze, security risks associated with OpenClaw have become apparent. The National Internet Emergency Center and the Ministry of Industry and Information Technology have previously issued security warnings, pointing out weak default security configurations, exposure to the public network, key leaks, and plugin poisoning risks. Several instances of OpenClaw being hacked worldwide have been reported.

The private key leak at 360 highlights the urgent need for improved security management among vendors during the rapid popularization of AI intelligent agents.