Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer

China’s largest cybersecurity firm, Qihoo 360, has inadvertently exposed its own wildcard SSL private key by bundling it directly inside the public installer of its newly launched AI assistant, 360Qihoo (Security Claw).

The flaw discovered on March 16, 2026, is a textbook operational security failure from a company trusted by over 461 million users to protect their digital lives.

Security Claw is a customized wrapper built on top of the OpenClaw browser framework, hosted at https://myclaw.360.cn:19798.

Researchers who downloaded the installer and inspected its directory structure found a live, production-grade wildcard TLS private key sitting unprotected inside the package at the path /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials.

The certificate, issued by WoTrus CA Limited, carries the Subject CN=*.myclaw.360.cn — a wildcard designation meaning it is cryptographically valid for every subdomain under the myclaw[.]360[.]cn domain.

Its validity window runs from March 12, 2026, to April 12, 2027, and the matching RSA private key was confirmed by running OpenSSL modulus checks, which showed identical MD5 hashes for both the certificate and the key, proving they are a matched pair.

Private Key Exposed

An SSL/TLS private key is the cryptographic foundation of HTTPS. Possession of it allows an adversary to perform several high-impact attacks:

• Man-in-the-Middle (MitM) interception — silently decrypt all traffic between users and 360’s AI servers.
• Server impersonation — stand up a fake myclaw[.]360[.]cn endpoint that browsers trust as legitimate.
• Credential harvesting — serve convincing login pages that capture usernames and passwords.
• AI session hijacking — intercept or manipulate queries sent to the AI backend entirely.

Because the key covers all subdomains, the blast radius is not limited to a single endpoint — the entire myclaw[.]360[.]cn infrastructure was theoretically compromised the moment the installer went public.

Following public disclosure, the certificate was reportedly revoked. However, due to OCSP (Online Certificate Status Protocol) caching behavior, some clients may still receive a “valid” status response from cached lookups, meaning revocation is not instantaneous or universal.

The timing makes the incident particularly embarrassing. Qihoo 360’s founder publicly promoted Security Claw with a pledge that the platform would “never leak passwords,” a promise the product broke before its launch day was over.

With a $10 billion valuation and a security-first brand identity built over two decades, shipping a wildcard private key in a downloadable zip file is a fundamental failure of secure software development practices, the kind organizations routinely warn their own clients to avoid.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.