Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer

Qihoo 360, China's biggest cybersecurity company, accidentally made its own wildcard SSL private key public by including it in the public installer for its new AI assistant, 360Qihoo (Security Claw) This article explores 360qihoo security claw. . The flaw found on March 16, 2026, is a textbook example of a security failure by a company that over 461 million people trust to keep their digital lives safe.

Security Claw is a personalized wrapper that sits on top of the OpenClaw browser framework and can be found at https://myclaw.360.cn:19798. Lukasz Olejnik downloaded the installer and looked at its directory structure. He found a live, production-grade wildcard The TLS private key is not protected and is inside the package at the path /path/to/namiclaw/components/Openclaw/openclaw.7z/credentials.

The certificate was given out by WoTrus CA Limited and has the Subject CN=*.myclaw.360.cn. This is a wildcard designation that means it is cryptographically valid for all subdomains of the myclaw[.]360[. ]cn domain.

The certificate is valid from March 12, 2026, to April 12, 2027. We verified that the RSA private key matched by running OpenSSL modulus checks, which showed that the MD5 hashes for both the certificate and the key were the same, proving that they are a matched pair. Private Key Exposed An SSL/TLS private key is the basis for HTTPS encryption. If an enemy has it, they can carry out a number of high-impact attacks: Man-in-the-Middle (MitM) interception: decrypt all traffic between users and 360's AI servers without anyone knowing.

Server impersonation: set up a fake myclaw[.]360[. ]cn endpoint that browsers think is real.

Credential harvesting: create fake login pages that get usernames and passwords. AI session hijacking means taking over or changing queries sent to the AI backend. The key covers all subdomains, so the blast radius isn't limited to one endpoint.

In theory, the whole myclaw[.]360[. ]cn infrastructure was compromised as soon as the installer went public. It was said that the certificate was taken away after it was made public. Some clients may still get a "valid" status response from cached lookups because of how OCSP (Online Certificate Status Protocol) caches data.

This means that revocation is not instantaneous or universal. The timing of the event makes it even more embarrassing.

The founder of Qihoo 360 publicly backed Security Claw, promising that the platform would "never leak passwords." However, the product broke that promise before the launch day was over. With a $10 billion valuation and a brand identity that puts security first, sending a wildcard private key in a downloadable zip file is a basic mistake in secure software development that companies tell their clients to avoid all the time., LinkedIn, and X for daily updates on cybersecurity.

Get in touch with us to have your stories featured.