A security researcher has disclosed critical issues in the processes and third-party API used by Symantec certificate resellers. The flaw could allow an unauthenticated attacker to retrieve other persons’ SSL certificates, including public and private keys, as well as to reissue or revoke those certificates. Using the same API vulnerabilities, the attacker could have even gained full control over another customer’s certificates. The vulnerability was discovered by Chris Byrne, an information security consultant and instructor for Cloud Harmonics, in a Facebook post published over the weekend.
Source: https://thehackernews.com/2017/03/symantec-ssl-certificates.html